FCW.com had a nice article highlighting several of the core National Institute of Standards and Technology (NIST) risk management documents in reading list form. The Federal Information Security Management Act of 2002, and more recently the Federal Risk and Authorization Management Program, had tapped NIST years ago decompose these abstract standards and guidelines into more detailed actionable recommendations so that agencies could effectively assess and manage their security risks. As a result of years to work, NIST has completed quite a comprehensive list of documentation pertaining to risk management. Although reading through these five documents isn’t the most exciting way to learn risk management, it’s probably one of the most comprehensive.
- SP 800-30 — Risk Management Guide for IT Systems
- SP 800-37 — Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
- SP 800-39 — Managing Information Security Risk: Organization, Mission and Information System View
- SP 800-53 — Recommended Security Controls for Federal Information Systems and Organizations
- SP 800-53A — Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans
The Federal Information Security Management Act of 2002 and the newer Federal Risk and Authorization Management Program provide detailed requirements regarding what agencies need to consider when assessing and managing security risks. The National Institute of Standards and Technology takes those requirements into account in developing its guidelines for agencies.
FISMA sets various standards and guidance for agencies to use when assessing risks and establishing security controls, and agencies must comply with them annually. However, the law does not yet tell agencies that they must improve security, only that they must show that they have a process in place that will enable them to do so.
However, FISMA is credited with providing a good foundation for risk management in the federal government. Its requirement for continuous monitoring of security risks and controls is considered a fundamental shift in risk management because it moves reporting from periodic snapshots to a real-time process.
What do you think about NIST’s guidelines on risk management? Post your comments below. Today’s post pic is from ComputerServiceNow.com.