Bad actors looking to exploit organizations have existed as long as the internet. The National Institute of Standards and Technology (NIST) developed its NIST Cybersecurity Framework (CSF) to meet the security demands of the emerging digital age. Special Publication 800-30 (NIST 800-30) offers guidance to public and private entities on how to perform risk assessments on their systems.
It can be hard for executives and security professionals with a primarily technical background to get on the same page about the best way to conduct risk assessments. NIST 800-30 acts as a bridge to help both parties understand what it will take to bolster their organizational and computer security defenses against inside and outside threats.
NIST SP 800 gives risk assessment teams clear guidance on analyzing and reporting risks to company leaders. Using a standard language format makes it easier to translate the impacts to the company in a business format, including the type of threats faced by an organization, how they could impact the company, and potential financial losses.
Another benefit of using NIST 800-30 is that it provides common terminology for explaining risks, making it easier for security teams to translate risk assessment results into a business context. At the same time, company leaders gain a clear understanding of how any residual risks affect everyone in the organization.
NIST 800-30 is a voluntary framework that organizations can decide whether or not they want to adopt. It’s not audited — however, any company heavily reliant on technology should follow the NIST 800-30 guidelines for its risk management process. There’s never a day that organizations don’t face constant online threats looking for weak points in their IT infrastructure.
Size shouldn’t be a factor in whether you use the NIST 800-30 guidance for risk analysis. Even small startups often rely on remote workers tapping into shared software-as-a-service (SaaS) applications and other cloud services. What happens if a hacker manages to compromise one of those assets?
Cybersecurity attackers often target healthcare organizations, financial institutions, and government agencies. Things got worse for hospitals and other healthcare institutions because of the COVID-19 epidemic. Ransomware became the weapon of choice as attackers sought to hijack healthcare systems and tap into valuable personal health information (PHI) data. The healthcare industry lost an average of $10 million to data breaches.
With daily headlines about companies falling victim to cyber-attacks, company leaders have started facing the realities of how their internet dependency for essential business functions can expose them. As noted in IBM's annual Cost of a Data Breach report, companies lose an average of $9.44 million per data breach, with stolen credentials being the most common attack vector.
Many companies need help figuring out how to carry out the risk assessment process and the associated impact analysis. Vulnerability identification regarding the multitude of cybersecurity threats they face can seem daunting. There’s the issue of data collection, parsing the information, and translating all of it into a readable, easily understood format.
The NIST 800-30 framework guides company leaders and security personnel in creating and executing risk assessments that follow the NIST framework. Organizations should conduct risk assessments to gain a better understanding of the following:
Technology like HyperComply efficiently generates risk assessment questionnaires, making it easier for companies with the regulatory standard required for mandates like PCI DSS or HIPAA using the NIST 800-30 framework.
Use the following best practices to develop and use risk assessments for improved risk mitigation and threat identification within your organization.
Start by mapping out the reason for conducting the risk assessment. Are you looking to ensure you are complying with industry regulations? Is there a need to reinforce the protections you have around network endpoints? Are you looking to assess the current security protections of a new vendor?
Once you’ve established the purpose of the assessment, you can start working on the following:
You can’t start your risk determination until you understand the following:
Start your data audit by answering the following questions:
Assign a priority to individual assets to help you determine the width of the scope of your risk assessment. That enables you to decide which items you should work on: It may not be practical to conduct risk assessments on every person, device, or data source based on their perceived value.
Figure out the most significant threat sources your organization deals with. Examples include accidents, natural disasters, power outages, environmental concerns, and person-made problems. An example of a person-made issue might include an employee logging into a company system using an unsecured Wi-Fi connection or failing to implement a security patch.
Any of the above could trigger secondary vulnerabilities within your security safeguards and lead to threats like:
Start looking at past risk assessments, including comments within logs left by auditors. Map out each vulnerability you discover within the context of any security requirements. That means figuring out which information technology systems are associated with those risks and if conditions already exist that leave your company more exposed to threats.
Assign each risk to different tears based on how likely it is that the threat could occur and cause adverse impacts to your company. If a potential adversary doesn’t have the resources to initiate a specific scenario, you should move that threat lower on the chances of it happening. You should also consider how likely it is that your organization would be targeted for specific attacks based on the functions it performs.
Examine the extent of harm a threat could cause to your operations, assets, workers, or vendors. Factor in the likelihood of your organization’s ability to contain the threat to determine impact severity. You should examine potential threat targets like:
You have to understand the magnitude of the impact of every risk identified through your process.
Figure out the actual risk level a threat poses to your organization based on the likelihood of it occurring and the depth of the impact. Explicitly spell out assumptions about your organization and how you came to your decision. Come up with a way to score each risk, keeping in mind that multiple moderate-level risks can be as much of a danger as one high-level risk.
Decision-makers should have risk assessment information to guide their decisions around security investments. Formats to use include interactive dashboards, briefings, or risk assessment reports. You can make the presentation formal or informal based on your company environment.
Organizations need to keep the information within risk assessments current to support ongoing decision-making related to risk response. A change management mechanism should be in place to capture changes found through risk monitoring.
The control families outlined in NIST Special Publication 800-53 (SP 500-53), initially developed for federal agencies, can be used by any organization to help with risk management around storing, processing, and transmitting data. Each control family contains specific techniques and functions.
The access control section covers any controls tied to system, network, and device access. The guidance helps organizations correctly implement the following:
The guidance here gives companies insight into ensuring that users given access to information systems have proper training and the awareness needed to recognize potential threats. Use this section to help develop policies around good record-keeping and cybersecurity training. This can be especially important for companies that work with third-party vendors.
This control family provides explanations on establishing event logging and audit procedures, including the following:
Here, the focus is on improving security and privacy controls. You can also learn about delegating responsibilities, setting up assessment plans, and locating and fixing vulnerabilities.
This section contains information on configuring software and devices on company networks. The goal is to help organizations lower their risk of someone installing unauthorized hardware or software within business systems. It contains details on the following:
The guidance here teaches companies about controls needed to prepare for potential breaches or system failures. It details system backup and alternative storage options to mitigate potential system downtime.
This section covers controls to identify users and devices using a company’s systems and networks. You can use the information here to strengthen your management policies and lower risks associated with unauthorized access.
The IR family covers enhanced controls used to cover specific threat events like data breaches, supply chain issues, malicious code, and dealing with PR fallout.
This section covers various methods of conducting system maintenance, inspections, software updates, and logging. It outlines specific policies aimed at reducing risks associated with outages. You can also learn more about managing maintenance personnel.
The media protection control family offers insight into storing, using, and destroying company media files safely. Use it to come up with baseline controls for your organization and how to lower your organization’s risk of experiencing a data breach.
The controls outlined in this section cover physical facility and device access. Use the techniques outlined here to establish physical access control policies. You can also use them for planning responses to sudden power loss or the need to relocate to a different facility in an emergency.
The controls in the planning section cover baseline system settings for security controls related to:
The controls outlined under program management cover the management of information and organizational systems. Organizations can use them to establish information security, risk management, and critical infrastructure plans.
This control family covers procedures related to personnel management and provides insight into IT security risks linked to different company positions. Use them to establish organizational guidelines around terminating contracts.
This section helps businesses understand how to reduce risks by establishing policies for storing and managing PII.
The risk assessment control family helps organizations protect their systems and information when they acquire assets or install a new system.
These controls cover various ways organizations can safely acquire new devices and services while protecting existing data and information systems.
The controls outlined in this section cover how to establish safe management policies for shared devices. Organizations can use this information to develop access controls, set-up procedures, usage restrictions, and guidelines for managing communication systems.
SI controls help maintain the integrity of information systems throughout the organization. Topics covered in this section include best practices for setting up protections against malicious code and spam.
The controls here cover ways for organizations to mitigate supply chain risks. Topics covered include conducting supply chain component inspections, assessing suppliers and vendors, and managing suppliers.
The information provided in NIST 800-30 helps establish a unified set of guidelines for conducting risk assessments on organizational threats. Industries like healthcare and finance face extensive threats from bad actors looking to steal personal data or hijack business systems.
HyperComply helps companies simplify the workflows associated with developing risk assessment questionnaires. Click here to learn how to use HyperComply to adapt to using NIST 800-30 guidelines within your company.