主页 / NIST系列 / Risk Management Guide for Information Technology Systems (NIST SP800-30)
  • 作者
    Gary Stoneburner@NIST, Alice Goguen@NIST, Alexis Feringa@NIST
  • 简介

    Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. This guide provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations to better manage IT-related mission risks

    The risk assessment methodology encompasses nine primary steps, which are described in Sections 3.1 through 3.9

    • Step 1System Characterization (Section 3.1)
    • Step 2Threat Identification (Section 3.2)
    • Step 3Vulnerability Identification (Section 3.3)
    • Step 4Control Analysis (Section 3.4)
    • Step 5Likelihood Determination (Section 3.5)
    • Step 6Impact Analysis (Section 3.6)
    • Step 7Risk Determination (Section 3.7)
    • Step 8Control Recommendations (Section 3.8)
    • Step 9Results Documentation (Section 3.9)
  • 提示
    本站仅做资料的整理和索引,转载引用请注明出处
附件下载
  • Risk.Management.Guide.for.Information.Technology.Systems.sp800.30.pdf
    时间: 大小: 0.49 M 下载: 26