NIST 800-30 Risk Assessment Framework


Using the NIST 800-30 assessment framework to address your organization's information security risk management will separate assets into distinct and integrated tiers that help to streamline the risk assessment process and to reduce the organization's inventory of threats and controls. While the National Institute of Standards and Technology, or NIST, provides guidance for categorizing assets, determining impact levels and security control baselines, we encourage you to adapt their ideas to your own environment and use them consistently for future comparisons. Striking a balance between a comprehensive approach and one that is succinct enough to produce meaningful results can be a challenge. The NIST framework suggests starting at the highest possible level and moving progressively, over time, to a more detailed view. Their multi-tiered approach, where risk is viewed from three distinct levels: the organization level, the business process level and the information system level, enables you to present risk at differing levels of granularity. Performing your risk assessment in layers, from the top down, provides incremental progress towards a more effective strategy. Once your organization places the furthest-reaching and most important controls in place, your organization should then move to the next level and get more granular in its risk analysis. Information system risk assessments are crucial for every company, especially in this technologically-driven society. By using the NIST 800 risk assessment framework, companies can get a better grasp on how to keep their information as secure as possible. For more information on risk assessments, visit today.