1. What is the National Institute for Standards and Technology (NIST)?
Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
2. What role does NIST play in information assurance?
This guide provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations to better manage IT-related mission risks.
3. What is the purpose of NIST Special Publication 800-30?
NIST Special Publication 800-30 is the document which provide guidelines that can used by Federal organization or may be, by non-governmental organizations which process sensitive information. These guidelines are not mandatory and binding standards.
4. What is the principal goal of an organization’s risk management process?
The objective of performing risk management is to enable the organization to accomplish its mission(s) (1) by better securing the IT systems that store, process, or transmit organizational information; (2) by enabling management to make well-informed risk management decisions to justify the expenditures that are part of an IT budget; and (3) by assisting management in authorizing (or accrediting) the IT systems3 on the basis of the supporting documentation resulting from the performance of risk management.
5. According to NIST, what three processes compose risk management?
Risk assessment
Risk mitigation
Evaluation and assessment.
6. How does risk management relate to the System Development Life Cycle (SDLC)?
Minimizing negative impact on an organization and need for sound basis in decision making are the fundamental reasons organizations implement a risk management process for their IT systems. IT system’s SDLC has five phases: initiation, development or acquisition, implementation, operation or maintenance, and disposal. Risk management is an iterative process that can be performed during each major phase of the SDLC.
For example, in phase 1 of the SDCL the need for an IT system is expressed and the purpose and scope of the IT system is documented. Here, identified risks can be used to support the development of the system requirements, including security requirements, and a security concept of operations.
7. NIST 800-30 defines seven Information Assurance “key roles”. Name and briefly describe them.
i. Senior management: Basically, senior management is key stakeholders who involve supports and provides all required resources for successful risk management.
ii. Chief Information officer (CIO): Responsible for organization’s IT planning, budgeting and performance where decisions made are based on effective risk management.
iii. System and Information Owners: Responsible for ensuring the proper controls are in place to address integrity, confidentiality and availability of IT systems, approves changes in systems and should support risk management.
iv. Business and functional managers: These are the individuals with the authority and responsibility for making the trade-off decisions essential to mission accomplishment.
v. ISSO: These are the leaders who introduce an appropriate, structured methodology to help identify, evaluate and minimize risks to the IT systems for risk management.
vi. IT security practitioners: Security analysts, computer specialists, application and database administrators, who properly implement security requirements in their IT systems.
vii. Security Awareness Trainers: They are responsible for developing appropriate training materials and incorporate risk assessment into training programs to educate the end users.
8. How does NIST 800-30 define risk?
Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.
9. How does NIST 800-30 define a threat?
A threat is the potential for a particular threat-source to successfully exercise a particular vulnerability
10. How is a threat source defined? In your answer, name three common threat sources.
A threat-source is defined as any circumstance or event with the potential to cause harm to an IT system. The common threat sources can be natural, human, or environmental.
11. How does NIST 800-30 define vulnerability?
A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
12. According to NIST, whose responsibility is IT Security? (Technical or management)
IT security program managers and computer security officers are responsible for their organizations’ IT security.
13. Used appropriately, what does a security control accomplish?
As it is impractical or close to impossible to eliminate all risks, properly applied security controls could decrease project/mission risk to an acceptable level, with minimal adverse impact on the organization’s resources and mission.
14. Define, compare, and contrast technical controls, management controls, and operational controls.
Technical security controls for risk mitigation can be configured to protect against given types of threats. These controls may range from simple to complex measures and usually involve system architectures; engineering disciplines; and security packages with a mix of hardware, software, and firmware.
Management security controls, in conjunction with technical and operational controls, are implemented to manage and reduce the risk of loss and to protect an organization’s mission. Management controls focus on the stipulation of information protection policy, guidelines, and standards, which are carried out through operational procedures to fulfill the organization’s goals and missions.
Operational controls, implemented in accordance with a base set of requirements (e.g., technical controls) and good industry practices, are used to correct operational deficiencies that could be exercised by potential threat-sources. To ensure consistency and uniformity in security operations, step-by-step procedures and methods for implementing operational controls must be clearly defined, documented, and maintained.
15. How can the adverse impact of a security event be described?
The adverse impact of a security event can be described in terms of loss or degradation of any, or a combination of any, of three security goals:
• Integrity of system and data
• Availability of the critical system to the end users
• Confidentiality i.e. the protection of system and data from unauthorized disclosure.
16. Describe the difference between quantitative and qualitative assessment?
Qualitative techniques are easier to apply and generally require less effort. Qualitative risk assessment is often sufficient for rank-ordering risks, allowing you to select the most significant ones for application of management techniques. But it does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost-benefit analysis of any recommended controls difficult.
Quantitative methods strive for greater precision, and they reveal more about each risk. These methods require more work, but, in addition to allowing you to sequence the risks from most of least significant. Quantitative analysis also provides data you can use to assess overall project risk and to estimate schedule and/or budget reserves for projects. Depending on the numerical ranges used to express the measurement, the meaning of the quantitative impact analysis may be unclear, requiring the result to be interpreted in a qualitative manner.
17. Name and describe six risk mitigation options.
Risk Assumption: To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level
Risk Avoidance: To avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain functions of the system or shut down the system when risks are identified)
Risk Limitation: To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising a vulnerability (e.g., use of supporting preventive, detective controls)
Risk Planning: To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls
Research and Acknowledgment: To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability
Risk Transference: To transfer the risk by using other options to compensate for the loss, such as purchasing insurance.
18. Name and describe the three control categories.
Support Controls: Supporting controls are generic and underlie most IT security capabilities. These controls must be in place in order to implement other controls.
Preventive Controls: Preventive controls focus on preventing security breaches from occurring in the first place.
Detection and Recovery: These controls focus on detecting and recovering from a security breach.
19. Define residual risk.
The risk remaining after the elimination of most of the risks or after the implementation new or enhanced controls is the residual risk.
Spring 09 Week 2
15 years ago