Discussion Post

Description

First, review the National Institute of Standards and Technology Guide for Conducting Risk Assessments PDF (NIST 800-30), paying particular attention to Chapter 3: The Process.Then, in your initial post, share the parts of the report you found interesting and explain how you could apply them in solving real-world problems. In addition, discuss any parts of the reading where you had challenges in understanding their application. Finally, highlight part of the document you feel could be useful in completing your final project.

Unformatted Attachment Preview



Graduate Discussion Rubric
Overview
Your active participation in the discussions is essential to your overall success this term. Discussion questions will help you make meaningful connections between the course content and the larger concepts of
the course. These discussions give you a chance to express your own thoughts, ask questions, and gain insight from your peers and instructor.
Directions
For each discussion, you must create one initial post and follow up with at least two response posts.
For your initial post, do the following:
Write a post of 1 to 2 paragraphs.
In Module One, complete your initial post by Thursday at 11:59 p.m. Eastern.
In Modules Two through Ten, complete your initial post by Thursday at 11:59 p.m. of your local time zone.
Consider content from other parts of the course where appropriate. Use proper citation methods for your discipline when referencing scholarly or popular sources.
For your response posts, do the following:
Reply to at least two classmates outside of your own initial post thread.
In Module One, complete your two response posts by Sunday at 11:59 p.m. Eastern.
Listen
In Modules Two through Ten, complete your two response
posts

by Sunday at 11:59 p.m. of your local time zone.
Demonstrate more depth and thought than saying things
“I agree” or “You are wrong.” Guidance is provided for you in the discussion prompt.
likeDictionary
 Translate
Criteria
Exemplary
Comprehension
Develops an initial post with an
organized, clear point of view or
idea using rich and significant
Discussion Rubric
Proficient
Develops an initial post with a
point of view or idea using
appropriate detail (90%)
detail (100%)
Needs Improvement
Develops an initial post with a
point of view or idea but with
some gaps in organization and
Not Evident
Value
Does not develop an initial post
with an organized point of view or
idea (0%)
20
detail (70%)
Timeliness
N/A
Submits initial post on time (100%)
Submits initial post one day late
(70%)
Submits initial post two or more
days late (0%)
10
Engagement
Provides relevant and meaningful
response posts with clarifying
explanation and detail (100%)
Provides relevant response posts
with some explanation and detail
(90%)
Provides somewhat relevant
response posts with some
explanation and detail (70%)
Provides response posts that are
generic with little explanation or
detail (0%)
20
Criteria
Exemplary
Proficient
Needs Improvement
Not Evident
Value
Critical Thinking
Draws insightful conclusions that
Draws informed conclusions that
Draws logical conclusions (70%)
Does not draw logical conclusions
30
are thoroughly defended with
evidence and examples (100%)
are justified with evidence (90%)
Initial post and responses are
easily understood, clear, and
concise using proper citation
methods where applicable with no
Initial post and responses are
easily understood using proper
citation methods where applicable
with few errors in citations (90%)
Writing (Mechanics)
errors in citations (100%)
(0%)
Initial post and responses are
understandable using proper
citation methods where applicable
with a number of errors in
Initial post and responses are not
understandable and do not use
proper citation methods where
applicable (0%)
20
citations (70%)
Total:
100%
NIST Special Publication 800-30
Revision 1
Guide for Conducting
Risk Assessments
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
INFORMATION
SECURITY
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930
September 2012
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary for Standards and Technology
and Director
Special Publication 800-30
Guide for Conducting Risk Assessments
________________________________________________________________________________________________
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) promotes the U.S. economy and public welfare by providing technical
leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test
methods, reference data, proof of concept implementations, and technical analyses to advance the
development and productive use of information technology. ITL’s responsibilities include the
development of management, administrative, technical, and physical standards and guidelines for
the cost-effective security and privacy of other than national security-related information in
federal information systems. The Special Publication 800-series reports on ITL’s research,
guidelines, and outreach efforts in information system security, and its collaborative activities
with industry, government, and academic organizations.
PAGE ii
Special Publication 800-30
Guide for Conducting Risk Assessments
________________________________________________________________________________________________
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is
responsible for developing information security standards and guidelines, including minimum
requirements for federal information systems, but such standards and guidelines shall not apply to
national security systems without the express approval of appropriate federal officials exercising
policy authority over such systems. This guideline is consistent with the requirements of the
Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency
Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections.
Supplemental information is provided in Circular A-130, Appendix III, Security of Federal
Automated Information Resources.
Nothing in this publication should be taken to contradict the standards and guidelines made
mandatory and binding on federal agencies by the Secretary of Commerce under statutory
authority. Nor should these guidelines be interpreted as altering or superseding the existing
authorities of the Secretary of Commerce, Director of the OMB, or any other federal official.
This publication may be used by nongovernmental organizations on a voluntary basis and is not
subject to copyright in the United States. Attribution would, however, be appreciated by NIST.
NIST Special Publication 800-30, 95 pages
(September 2012)
CODEN: NSPUE2
Certain commercial entities, equipment, or materials may be identified in this document in order to
describe an experimental procedure or concept adequately. Such identification is not intended to imply
recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or
equipment are necessarily the best available for the purpose.
There may be references in this publication to other publications currently under development by NIST
in accordance with its assigned statutory responsibilities. The information in this publication, including
concepts and methodologies, may be used by federal agencies even before the completion of such
companion publications. Thus, until each publication is completed, current requirements, guidelines,
and procedures, where they exist, remain operative. For planning and transition purposes, federal
agencies may wish to closely follow the development of these new publications by NIST.
Organizations are encouraged to review all draft publications during public comment periods and
provide feedback to NIST. All NIST publications are available at http://csrc.nist.gov/publications.
Comments on this publication may be submitted to:
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930
Electronic mail: [email protected]
PAGE iii
Special Publication 800-30
Guide for Conducting Risk Assessments
________________________________________________________________________________________________
Compliance with NIST Standards and Guidelines
In accordance with the provisions of FISMA, 1 the Secretary of Commerce shall, on the basis of
standards and guidelines developed by NIST, prescribe standards and guidelines pertaining to
federal information systems. The Secretary shall make standards compulsory and binding to the
extent determined necessary by the Secretary to improve the efficiency of operation or security of
federal information systems. Standards prescribed shall include information security standards
that provide minimum information security requirements and are otherwise necessary to improve
the security of federal information and information systems.
•
Federal Information Processing Standards (FIPS) are approved by the Secretary of
Commerce and issued by NIST in accordance with FISMA. FIPS are compulsory and
binding for federal agencies. 2 FISMA requires that federal agencies comply with these
standards, and therefore, agencies may not waive their use.
•
Special Publications (SPs) are developed and issued by NIST as recommendations and
guidance documents. For other than national security programs and systems, federal
agencies must follow those NIST Special Publications mandated in a Federal Information
Processing Standard. FIPS 200 mandates the use of Special Publication 800-53, as
amended. In addition, OMB policies (including OMB Reporting Instructions for FISMA
and Agency Privacy Management) state that for other than national security programs
and systems, federal agencies must follow certain specific NIST Special Publications. 3
•
Other security-related publications, including interagency reports (NISTIRs) and ITL
Bulletins, provide technical and other information about NIST’s activities. These
publications are mandatory only when specified by OMB.
•
Compliance schedules for NIST security standards and guidelines are established by
OMB in policies, directives, or memoranda (e.g., annual FISMA Reporting Guidance).4
1
The E-Government Act (P.L. 107-347) recognizes the importance of information security to the economic and
national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information
Security Management Act (FISMA), emphasizes the need for organizations to develop, document, and implement an
organization-wide program to provide security for the information systems that support its operations and assets.
2
The term agency is used in this publication in lieu of the more general term organization only in those circumstances
where its usage is directly related to other source documents such as federal legislation or policy.
3
While federal agencies are required to follow certain specific NIST Special Publications in accordance with OMB
policy, there is flexibility in how agencies apply the guidance. Federal agencies apply the security concepts and
principles articulated in the NIST Special Publications in accordance with and in the context of the agency’s missions,
business functions, and environment of operation. Consequently, the application of NIST guidance by federal agencies
can result in different security solutions that are equally acceptable, compliant with the guidance, and meet the OMB
definition of adequate security for federal information systems. Given the high priority of information sharing and
transparency within the federal government, agencies also consider reciprocity in developing their information security
solutions. When assessing federal agency compliance with NIST Special Publications, Inspectors General, evaluators,
auditors, and assessors consider the intent of the security concepts and principles articulated within the specific
guidance document and how the agency applied the guidance in the context of its mission/business responsibilities,
operational environment, and unique organizational conditions.
4
Unless otherwise stated, all references to NIST publications in this document (i.e., Federal Information Processing
Standards and Special Publications) are to the most recent version of the publication.
PAGE iv
Special Publication 800-30
Guide for Conducting Risk Assessments
________________________________________________________________________________________________
Acknowledgements
This publication was developed by the Joint Task Force Transformation Initiative Interagency
Working Group with representatives from the Civil, Defense, and Intelligence Communities in an
ongoing effort to produce a unified information security framework for the federal government.
The National Institute of Standards and Technology wishes to acknowledge and thank the senior
leaders from the Departments of Commerce and Defense, the Office of the Director of National
Intelligence, the Committee on National Security Systems, and the members of the interagency
technical working group whose dedicated efforts contributed significantly to the publication. The
senior leaders, interagency working group members, and their organizational affiliations include:
Department of Defense
Office of the Director of National Intelligence
Teresa M. Takai
DoD Chief Information Officer
Adolpho Tarasiuk Jr.
Assistant DNI and Intelligence Community
Chief Information Officer
Richard Hale
Deputy Chief Information Officer for Cybersecurity
Charlene Leubecker
Deputy Intelligence Community Chief
Information Officer
Paul Grant
Director, Cybersecurity Policy
Catherine A. Henson
Director, Data Management
Dominic Cussatt
Deputy Director, Cybersecurity Policy
Greg Hall
Chief, Risk Management and Information
Security Programs Division
Kurt Eleam
Policy Advisor
National Institute of Standards and Technology
Committee on National Security Systems
Charles H. Romine
Director, Information Technology Laboratory
Teresa M. Takai
Chair, CNSS
Donna Dodson
Cybersecurity Advisor, Information Technology Laboratory
Richard Spires
Co-Chair, CNSS
Donna Dodson
Chief, Computer Security Division
Dominic Cussatt
CNSS Subcommittee Co-Chair
Ron Ross
FISMA Implementation Project Leader
Jeffrey Wilk
CNSS Subcommittee Co-Chair
Joint Task Force Transformation Initiative Interagency Working Group
Ron Ross
NIST, JTF Leader
Gary Stoneburner
Johns Hopkins APL
Jennifer Fabius
The MITRE Corporation
Kelley Dempsey
NIST
Deborah Bodeau
The MITRE Corporation
Steve Rodrigo
Tenacity Solutions, Inc.
Peter Gouldmann
Department of State
Arnold Johnson
NIST
Peter Williams
Booz Allen Hamilton
Karen Quigg
The MITRE Corporation
Christina Sames
TASC
Christian Enloe
NIST
In addition to the above acknowledgments, a special note of thanks goes to Peggy Himes and
Elizabeth Lennon of NIST for their superb technical editing and administrative support. The
authors also gratefully acknowledge and appreciate the significant contributions from individuals
and organizations in the public and private sectors, both nationally and internationally, whose
thoughtful and constructive comments improved the overall quality, thoroughness, and usefulness
of this publication.
PAGE v
Special Publication 800-30
Guide for Conducting Risk Assessments
________________________________________________________________________________________________
DEVELOPING COMMON INFORMATION SECURITY FOUNDATIONS
COLLABORATION AMONG PUBLIC AND PRIVATE SECTOR ENTITIES
In developing standards and guidelines required by FISMA, NIST consults with other federal agencies
and offices as well as the private sector to improve information security, avoid unnecessary and costly
duplication of effort, and ensure that NIST publications are complementary with the standards and
guidelines employed for the protection of national security systems. In addition to its comprehensive
public review and vetting process, NIST is collaborating with the Office of the Director of National
Intelligence (ODNI), the Department of Defense (DoD), and the Committee on National Security
Systems (CNSS) to establish a common foundation for information security across the federal
government. A common foundation for information security will provide the Intelligence, Defense, and
Civil sectors of the federal government and their contractors, more uniform and consistent ways to
manage the risk to organizational operations and assets, individuals, other organizations, and the
Nation that results from the operation and use of information systems. A common foundation for
information security will also provide a strong basis for reciprocal acceptance of security authorization
decisions and facilitate information sharing. NIST is also working with public and private sector
entities to establish specific mappings and relationships between the security standards and guidelines
developed by NIST and the International Organization for Standardization and International
Electrotechnical Commission (ISO/IEC).
PAGE vi
Special Publication 800-30
Guide for Conducting Risk Assessments
________________________________________________________________________________________________
Table of Contents
CHAPTER ONE INTRODUCTION ……………………………………………………………………………… 1
1.1 PURPOSE AND APPLICABILITY …………………………………………………………………………………….. 2
1.2 TARGET AUDIENCE…………………………………………………………………………………………………… 2
1.3 RELATED PUBLICATIONS ……………………………………………………………………………………………. 3
1.4 ORGANIZATION OF THIS SPECIAL PUBLICATION……………………………………………………………….. 3
CHAPTER TWO THE FUNDAMENTALS ………………………………………………………………………. 4
2.1 RISK MANAGEMENT PROCESS …………………………………………………………………………………….. 4
2.2 RISK ASSESSMENT …………………………………………………………………………………………………… 5
2.3 KEY RISK CONCEPTS ………………………………………………………………………………………………… 6
2.4 APPLICATION OF RISK ASSESSMENTS …………………………………………………………………………. 17
CHAPTER THREE THE PROCESS ………………………………………………………………………….. 23
3.1 PREPARING FOR THE RISK ASSESSMENT …………………………………………………………………….. 24
3.2 CONDUCTING THE RISK ASSESSMENT …………………………………………………………………………. 29
3.3 COMMUNICATING AND SHARING RISK ASSESSMENT INFORMATION …………………………………….. 37
3.4 MAINTAINING THE RISK ASSESSMENT …………………………………………………………………………. 38
APPENDIX A REFERENCES ……………………………………………………………………………….. A-1
APPENDIX B GLOSSARY …………………………………………………………………………………… B-1
APPENDIX C ACRONYMS ………………………………………………………………………………….. C-1
APPENDIX D THREAT SOURCES …………………………………………………………………………. D-1
APPENDIX E THREAT EVENTS ……………………………………………………………………………. E-1
APPENDIX F VULNERABILITIES AND PREDISPOSING CONDITIONS ……………………………….. F-1
APPENDIX G LIKELIHOOD OF OCCURRENCE ………………………………………………………….. G-1
APPENDIX H IMPACT ……………………………………………………………………………………….. H-1
APPENDIX I
RISK DETERMINATION………………………………………………………………………..I-1
APPENDIX J INFORMING RISK RESPONSE ……………………………………………………………… J-1
APPENDIX K RISK ASSESSMENT REPORTS ……………………………………………………………. K-1
APPENDIX L SUMMARY OF TASKS ………………………………………………………………………..L-1
PAGE vii
Special Publication 800-30
Guide for Conducting Risk Assessments
________________________________________________________________________________________________
Prologue
“… Through the process of risk management, leaders must consider risk to U.S. interests from
adversaries using cyberspace to their advantage and from our own efforts to employ the global
nature of cyberspace to achieve objectives in military, intelligence, and business operations…”
“… For operational plans development, the combination of threats, vulnerabilities, and impacts
must be evaluated in order to identify important trends and decide where effort should be applied
to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess,
coordinate, and deconflict all cyberspace operations…”
“… Leaders at all levels are accountable for ensuring readiness and security to the same degree
as in any other domain…”
— THE NATIONAL STRATEGY FOR CYBERSPACE OPERATIONS
OFFICE OF THE CHAIRMAN, JOINT CHIEFS OF STAFF, U.S. DEPARTMENT OF DEFENSE
PAGE viii
Special Publication 800-30
Guide for Conducting Risk Assessments
________________________________________________________________________________________________
CAUTIONARY NOTES
SCOPE AND APPLICABILITY OF RISK ASSESSMENTS
•
Risk assessments are a key part of effective risk management and facilitate decision making at all
three tiers in the risk management hierarchy including the organization level, mission/business
process level, and information system level.
•
Because risk management is ongoing, risk assessments are conducted throughout the system
development life cycle, from pre-system acquisition (i.e., material solution analysis and technology
development), through system acquisition (i.e., engineering/manufacturing development and
production/deployment), and on into sustainment (i.e., operations/support).
•
There are no specific requirements with regard to: (i) the formality, rigor, or level of detail that
characterizes any particular risk assessment; (ii) the methodologies, tools, and techniques used to
conduct such risk assessments; or (iii) the format and content of assessment results and any
associated reporting mechanisms. Organizations have maximum flexibility on how risk assessments
are conducted and are encouraged to apply the guidance in this document so that the various needs
of organizations can be addressed and the risk assessment activities can be integrated into broader
organizational risk management processes.
•
Organizations are also cautioned that risk assessments are often not precise instruments of
measurement and reflect: (i) the limitations of the specific assessment methodologies, tools, and
techniques employed; (ii) the subjectivity, quality, and trustworthiness of the data used; (iii) the
interpretation of assessment results; and (iv) the skills and expertise of those individuals or groups
conducting the assessments.
•
Since cost, timeliness, and ease of use are a few of the many important factors in the application of
risk assessments, organizations should attempt to reduce the level of effort for risk assessments by
sharing risk-related information, whenever possible.
PAGE ix
Special Publication 800-30
Guide for Conducting Risk Assessments
________________________________________________________________________________________________
CHAPTER ONE
INTRODUCTION
THE NEED FOR RISK ASSESSMENTS TO SUPPORT ENTERPRISE-WIDE RISK MANAGEMENT
O
rganizations 5 in the public and private sectors depend on information technology 6 and
information systems 7 to successfully carry out their missions and business functions.
Information systems can include very diverse entities ranging from office networks,
financial and personnel systems to very specialized systems (e.g., industrial/process control
systems, weapons systems, telecommunications systems, and environmental control systems).
Information systems are subject to serious threats that can have adverse effects on organizational
operations and assets, individuals, other organizations, and the Nation by exploiting both known
and unknown vulnerabilities to compromise the confidentiality, integrity, or availability of the
information being processed, stored, or transmitted by those systems. Threats to information
systems can include purposeful attacks, environmental disruptions, human/machine errors, and
structural failures, and can result in harm to the national and economic security interests of the
United States. Therefore, it is imperative that leaders and managers at all levels understand their
responsibilities and are held accountable for managing information security risk—that is, the risk
associated with the operation and use of information systems that support the missions and
business functions of their organizations.
Risk assessment is one of the fundamental components of an organizational risk management
process as described in NIST Special Publication 800-39. Risk assessments are used to identify,
estimate, and prioritize risk to organizational operations (i.e., mission, functions, image, and
reputation), organizational assets, individuals, other organizations, and the Nation, resulting from
the operation and use of information systems. The purpose of risk assessments is to inform
decision makers and support risk responses by identifying: (i) relevant threats to organizations or
threats directed through organizations against other organizations; (ii) vulnerabilities both internal
and external to organizations; (iii) impact (i.e., harm) to organizations that may occur given the
potential for threats exploiting vulnerabilities; and (iv) likelihood that harm will occur. The end
result is a determination of risk (i.e., typically a function of the degree of harm and likelihood of
harm occurring). Risk assessments can be conducted at all three tiers in the risk management
hierarchy—including Tier 1 (organization level), Tier 2 (mission/business process level), and Tier
3 (information system level). At Tiers 1 and 2, organizations use risk assessments to evaluate, for
example, systemic information security-related risks associated with organizational governance
and management activities, mission/business processes, enterprise architecture, or the funding of
information security programs. At Tier 3, organizations use risk assessments to more effectively
support the implementation of the Risk Management Framework (i.e., security categorization;
security control selection, implementation, and assessment; information system and common
control authorization; and security control monitoring). 8
5
The term organization describes an entity of any size, complexity, or positioning within an organizational structure
(e.g., a federal agency or, as appropriate, any of its operational elements) that is charged with carrying out assigned
mission/business processes and that uses information systems in support of those processes.
6
Organizations also manage information technology in the form of common infrastructures, sets of shared services, and
sets of common controls.
7
An information system is a discrete set of information resources organized for the collection, processing, maintenance,
use, sharing, dissemination, or disposition of information.
8
The Risk Management Framework is described in NIST Special Publication 800-37.
CHAPTER 1
PAGE 1
Special Publication 800-30
Guide for Conducting Risk Assessments
________________________________________________________________________________________________
1.1 PURPOSE AND APPLICABILITY
The purpose of Special Publication 800-30 is to provide guidance for conducting risk assessments
of federal information systems and organizations, amplifying the guidance in Special Publication
800-39. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part
of an overall risk management process—providing senior leaders/executives with the information
needed to determine appropriate courses of action in response to identified risks. In particular,
this document provides guidance for carrying out each of the steps in the risk assessment process
(i.e., preparing for the assessment, conducting the assessment, communicating the results of the
assessment, and maintaining the assessment) and how risk assessments and other organizational
risk management processes complement and inform each other. Special Publication 800-30 also
provides guidance to organizations on identifying specific risk factors to monitor on an ongoing
basis, so that organizations can determine whether risks have increased to unacceptable levels
(i.e., exceeding organizational risk tolerance) and different courses of action should be taken.
This publication satisfies the requirements of FISMA and meets or exceeds the information
security requirements established for executive agencies 9 by the Office of Management and
Budget (OMB) in Circular A-130, Appendix III, Security of Federal Automated Information
Resources. The guidelines in this publication are applicable to all federal information systems
other than those systems designated as national security systems as defined in 44 U.S.C., Section
3542. The guidelines have been broadly developed from a technical perspective to complement
similar guidelines for national security systems and may be used for such systems with the
approval of appropriate federal officials exercising policy authority over such systems. State,
local, and tribal governments, as well as private sector organizations are encouraged to consider
using these guidelines, as appropriate.
1.2 TARGET AUDIENCE
This publication is intended to serve a diverse group of risk management professionals including:
•
Individuals with oversight responsibilities for risk management (e.g., heads of agencies, chief
executive officers, chief operating officers, risk executive [function]);
•
Individuals with responsibilities for conducting organizational missions/business functions
(e.g., mission/business owners, information owners/stewards, authorizing officials);
•
Individuals with responsibilities for acquiring information technology products, services, or
information systems (e.g., acquisition officials, procurement officers, contracting officers);
•
Individuals with information system/security design, development, and implementation
responsibilities (e.g., program managers, enterprise architects, information security architects,
information system/security engineers, information systems integrators);
•
Individuals with information security oversight, management, and operational responsibilities
(e.g., chief information officers, senior information security officers,10 information security
managers, information system owners, common control providers); and
9
An executive agency is: (i) an executive department specified in 5 U.S.C., Section 101; (ii) a military department
specified in 5 U.S.C., Section 102; (iii) an independent establishment as defined in 5 U.S.C., Section 104(1); and (iv) a
wholly owned government corporation fully subject to the provisions of 31 U.S.C., Chapter 91. In this publication, the
term executive agency is synonymous with the term federal agency.
10
At the agency level, this position is known as the Senior Agency Information Security Officer. Organizations may
also refer to this position as the Chief Information Security Officer.
CHAPTER 1
PAGE 2
Special Publication 800-30
Guide for Conducting Risk Assessments
________________________________________________________________________________________________
•
Individuals with information security/risk assessment and monitoring responsibilities (e.g.,
system evaluators, penetration testers, security control assessors, risk assessors, independent
verifiers/validators, inspectors general, auditors).
1.3 RELATED PUBLICATIONS
The risk assessment approach described in this publication is supported by a series of security
standards and guidelines necessary for managing information security risk. In addition to this
publication, the Special Publications developed by the Joint Task Force Transformation Initiative
supporting the unified information security framework for the federal government include:
•
Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and
Information System View; 11
•
Special Publication 800-37, Guide for Applying the Risk Mana