Risk assessments are part of an organization’s total risk management process.
To better assist those organizations in conducting effective risk assessments, the National Institute of Standards and Technology (NIST) has released a final version of its risk assessment guidelines that can provide senior leaders and executives with the information they need to understand and make decisions about their organization’s current information security risks and information technology infrastructures.
“Risk assessments are an important tool for managers,” explains Ron Ross, NIST fellow and one of the authors of this recently released NIST document entitled, “Guide for Conducting Risk Assessments”.
“With the increasing breadth and depth of cyber-attacks on federal information systems and the U.S. critical infrastructure,” Ross further states that, “ risk assessments provide important information to guide and inform the selection of appropriate defensive measures so organizations can respond effectively to cyber-related risks.”
Information technology risks include risk to the organization’s operations (including, for example, missions and reputation), its critical assets such as data and physical property, and individuals who are part of or served by the organization. In some cases, these risks extend to the nation as a whole.
The Guide for Conducting Risk Assessments further provides guidance regarding;
(iii) impact to missions and business operations, and
(iv) the likely threat of exploitation of vulnerabilities in information systems and their physical environment to cause harm or adverse consequence.
Click here to read this NIST document, and, consider adding it to the resource reading library of the risk management or business continuity planning team members in your organization.