Risk Assessment process according to National Institute of Standards and Technology (NIST)

Session

Information Systems and Security

Description

Risk management is the process of risk identification, risk assessment and taking steps to reduce the risk at an acceptable level. Organizations use the risk assessment as the first step in the risk management methodology, to determine the degree of potential threat, vulnerability and risk associated with an information technology (IT) system. The outcome of this process helps identify the appropriate risk mitigation or elimination controls during the risk mitigation process, while the second step of risk management includes prioritizing, evaluating and implementing appropriate risk reduction controls recommended from the risk assessment process. Through this paper I would like to explain the basis for developing an effective risk management program that contains both the definitions and practical approach needed to assess and mitigate the risks identified in IT systems throughout their system development cycle (SDLC). The goal of the paper is to help organizations better manage IT-related mission risks. Organizations may choose to expand or shorten the inclusive processes and steps suggested in this guide and adapt them to their site environment in managing IT-related mission risks. In addition, this guide provides information on the selection of cost-effective security controls. These controls can be used to mitigate the risk of better protection of critical mission information and IT systems that process and maintain this information. The third step in the process is continuous assessment and evaluation. In most organizations, IT systems consistently will be expanded and updated, their components changed and their software applications replaced or updated with newer versions. In addition, staff changes will occur and security policies are likely to change over time. These changes imply that new risks which will surface and the hazards that have previously been tamed may turn out to be a concern.

Keywords:

Risk Assessment, NIST, Standards, information security, information technology

Session Chair

Anita Mirijamdotter

Session Co-Chair

Bejtush Ademi

Proceedings Editor

Edmond Hajrizi

ISBN

978-9951-437-69-1

Location

Pristina, Kosovo

Start Date

27-10-2018 9:00 AM

End Date

27-10-2018 10:30 AM

DOI

10.33107/ubt-ic.2018.206

This document is currently not available here.

Share

COinS
 
Oct 27th, 9:00 AM Oct 27th, 10:30 AM

Risk Assessment process according to National Institute of Standards and Technology (NIST)

Pristina, Kosovo

Risk management is the process of risk identification, risk assessment and taking steps to reduce the risk at an acceptable level. Organizations use the risk assessment as the first step in the risk management methodology, to determine the degree of potential threat, vulnerability and risk associated with an information technology (IT) system. The outcome of this process helps identify the appropriate risk mitigation or elimination controls during the risk mitigation process, while the second step of risk management includes prioritizing, evaluating and implementing appropriate risk reduction controls recommended from the risk assessment process. Through this paper I would like to explain the basis for developing an effective risk management program that contains both the definitions and practical approach needed to assess and mitigate the risks identified in IT systems throughout their system development cycle (SDLC). The goal of the paper is to help organizations better manage IT-related mission risks. Organizations may choose to expand or shorten the inclusive processes and steps suggested in this guide and adapt them to their site environment in managing IT-related mission risks. In addition, this guide provides information on the selection of cost-effective security controls. These controls can be used to mitigate the risk of better protection of critical mission information and IT systems that process and maintain this information. The third step in the process is continuous assessment and evaluation. In most organizations, IT systems consistently will be expanded and updated, their components changed and their software applications replaced or updated with newer versions. In addition, staff changes will occur and security policies are likely to change over time. These changes imply that new risks which will surface and the hazards that have previously been tamed may turn out to be a concern.