NIST SP 800-39

Risk can never be eliminated, but it can be managed using the risk management process. The National Institute of Standards and Technology (NIST) 800 series documents are well-known and accepted as industry standards in information security. Review the NIST SP 800-39, a special publication that outlines a process on how to manage information security risks. Read pages 32-45 for a detailed explanation of the risk management process. Pay attention to the general description for each step in the process: framing risk, assessing risk, responding to risk, and monitoring risk. After you read, you should be able to explain the order of the steps in the process and what happens during in each step.

The Process


This chapter describes a process for managing information security risk including: a general overview of the risk management process; how organizations establish the context for risk-based decisions; how organizations assess risk considering threats, vulnerabilities, likelihood, and consequences/impact; how organizations respond to risk once determined; and how organizations monitor risk over time with changing mission/business needs, operating environments, and supporting information systems . The risk management process, introduced in Chapter Two, is described in this chapter along with its applicability across the three tiers of risk management. Each of the steps in the risk management process (i.e., risk framing, risk assessment, risk response, and risk monitoring) is described in a structured manner focusing on the inputs or preconditions necessary to initiate the step, the specific activities that compose the step, and the outputs or post conditions resulting from the step. The effect of the risk concepts described in Chapter Two (e.g., risk tolerance, trust, and culture) are also discussed in the context of the risk management process and its multitiered application. Figure 4 illustrates the risk management process as applied across the tiers - organization, mission/business process, and information system. The bidirectional arrows in the figure indicate that the information and communication flows among the risk management components as well as the execution order of the components, may be flexible and respond to the dynamic nature of the risk management process as it is applied across all three tiers


The steps in the risk management process are not inherently sequential in nature. The steps are performed in different ways, depending on the particular tier where the step is applied and on prior activities related to each of the steps. What is consistent is that the outputs or post conditions from a particular risk management step directly impact one or more of the other risk management steps in the risk management process. Organizations have significant flexibility in how the risk management steps are performed (e.g., sequence, degree of rigor, formality, and thoroughness of application) and in how the results of each step are captured and shared - both internally and externally. Ultimately, the objective of applying the risk management process and associated riskrelated concepts is to develop a better understanding of information security risk in the context of the broader actions and decisions of organizations and in particular, with respect to organizational operations and assets, individuals, other organizations, and Nation.

Source: National Institute of Standards and Technology,
Creative Commons 0 This work is published free of restrictions under the Creative Commons CC0 1.0 Universal Public Domain Dedication.