Risk assessment is one of four steps in the risk managed process agencies should undertake in securing their computer networks, says the National Institute of Standards and Technology.
The agency released Sept. 19 a draft publication meant to guide agencies in performing risk assessments, stating that it will accept public comment through Nov. 4. The document is special publication 800-30, which originally covered risk management guidelines--which are now instead covered by 800-39.
A risk assessment should include an explicit risk model, an assessment approach, and an analysis approach, the draft document states. A risk model defines key terms and their relationships. Defining terms early can lead to useful distinctions, such as between threat sources and threat events, the draft notes. Multiple threat sources can cause the same threat event, it adds. For example a key server being taken offline is a threat event, but sources can be as diverse as a denial-of-service attack and power failure.
More...
Download
SP800-30-Rev1-ipd.pdf (823 KB)
Visto en fiercegovernmentit.com
Link relacionadoA risk assessment should include an explicit risk model, an assessment approach, and an analysis approach, the draft document states. A risk model defines key terms and their relationships. Defining terms early can lead to useful distinctions, such as between threat sources and threat events, the draft notes. Multiple threat sources can cause the same threat event, it adds. For example a key server being taken offline is a threat event, but sources can be as diverse as a denial-of-service attack and power failure.
More...
Download
SP800-30-Rev1-ipd.pdf (823 KB)
Visto en fiercegovernmentit.com
- SP 800-30 Rev. 1 (NIST)
No hay comentarios:
Publicar un comentario