Nist 800 30 Rev 1

Organizations make explicit: (i) the _____________ used to conduct impact determinations; (ii) __________________ related to impact determinations; (iii) _________________________________ for obtaining impact information; and (iv) the _____________________________________ reached with regard to impact determinations.

NIST SP 800-30 Rev 1 is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), __________________________________, as analyzed in Circular A-130, Appendix IV: ___________________________________.

__________are compulsory and binding for federal agencies. FISMA requires that federal agencies comply with these standards, and therefore, agencies may not waive their use.

_____________________________________ are developed and issued by NIST as recommendations and guidance documents. For other than national security programs and systems, federal agencies must follow those NIST Special Publications mandated in a FIPS. FIPS 200 mandates the use of ___________________, as amended.

______________________________ is one of the fundamental components of an organizational risk management process as described in NIST Special Publication 800-39.

At Tier 3, organizations use risk assessments to more effectively support the implementation of the ___________________________________________.

The purpose of Special Publication ___________ is to provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39.

NIST SP 800-30 provides guidance for carrying out each of the steps in the ____________________________________________.

At the ____________ level, this position is known as the Senior Agency Information Security Officer. Organizations may also refer to this position as the _____________________________________________.

The risk assessment approach described in NIST SP 800-30 is supported by the Special Publications developed by the Joint Task Force Transformation Initiative supporting the unified information security framework for the federal government, and include SPs 800-_________, 800-___________, 800-___________, and 800-___________.

Special Publication 800-_______ supersedes (takes the place of) Special Publication 800-30 as the primary source for guidance on information security risk management.

Risk management processes include _________________, ___________________, ___________________, and _____________________.

The first component of risk management addresses how organizations _________________ or establish a risk context—that is, describing the environment in which risk-based decisions are made.

The purpose of the risk framing component is to produce a _____________________________________ that addresses how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions. The ________________________________________ establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within organizations.

The second component of risk management addresses how organizations __________________ within the context of the organizational risk frame.

The third component of risk management addresses how organizations _____________________ once that risk is determined based on the results of a risk assessment.

The fourth component of risk management addresses how organizations __________________________ over time.

NIST Special Publication _____________ provides guidance on the three tiers in the risk management hierarchy including Tier 1 (organization), Tier 2 (mission/business process), and Tier 3 (information system).

Many of the outputs from the _____________________ step provide essential inputs to the ____________________________ step and the associated risk assessment process. These include, for example, the risk management strategy, organizational risk tolerance, risk assessment methodology, assumptions, constraints, and mission/business priorities.

In the absence of an explicit or formal organizational ____________________________________, organizational resources (e.g., tools, data repositories) and references (e.g., exemplary risk assessment reports) can be used to discern those aspects of the organization's approach to risk management that affect risk assessment.

_____________________________________________ are not confined to information systems but can include, for example, vulnerabilities in governance structures, mission/business processes, enterprise architecture, information security architecture, facilities, equipment, system development life cycle processes, supply chain activities, and external service providers.

_________________________________________ include, but are not limited to: the threat space; vulnerabilities; missions/business functions; mission/business processes; enterprise and information security architectures; information technologies; personnel; facilities; supply chain relationships; organizational governance/culture; procurement/acquisition processes; organizational policies/procedures; organizational assumptions, constraints, risk tolerance, and priorities/trade-offs).

NIST SP 800-30 Rev 1 focuses on the ______________________________ component of risk management—providing a step-by-step process for organizations on: (i) how to prepare for risk assessments; (ii) how to conduct risk assessments; (iii) how to communicate risk assessment results to key organizational personnel; and (iv) how to maintain the risk assessments over time.

A risk assessment methodology typically includes: (i) a _______________________________; (ii) an explicit ______________________, defining key terms and assessable risk factors and the relationships among the factors; (iii) an _______________________________ (e.g., quantitative, qualitative, or semi-qualitative), specifying the range of values those risk factors can assume during the risk assessment and how combinations of risk factors are identified/analyzed so that values of those factors can be functionally combined to evaluate risk; and (iv) an _____________________________ (e.g., threat-oriented, asset/impact-oriented, or vulnerability-oriented), describing how combinations of risk factors are identified/analyzed to ensure adequate coverage of the problem space at a consistent level of detail.

________________________________________________ are defined by organizations and are a component of the risk management strategy that is developed during the risk framing step of the risk management process.

______________________________________________ are influenced in large measure by the organizational risk management strategy. However, they can be customized for each risk assessment based on the purpose and scope of the assessment and the specific inputs organizations choose to make regarding the risk assessment process, risk model, assessment approach, and analysis approach.

NIST Special Publication _____________ discusses the concepts of criticality and sensitivity of information with respect to security categorization.

Typical __________________ include threat, vulnerability, impact, likelihood, and predisposing condition.

_____________________ are caused by threat sources.

When threat events are identified with great specificity, _______________________ can be modeled, developed, and analyzed.

Documentation of a _________________ includes: (i) identification of risk factors (definitions, descriptions, value scales); and (ii) identification of the relationships among those risk factors (both conceptual relationships, presented descriptively, and algorithms for combining values).

A _________________ can have a single assessable characteristic (e.g., impact severity) or multiple characteristics, some of which may be assessable and some of which may not be assessable. Characteristics which are not assessable typically help determine what lower-level characteristics are relevant. For example, a threat source has a (characteristic) threat type (using a taxonomy of threat types, which are nominal rather than assessable). The threat type determines which of the more detailed characteristics are relevant (e.g., a threat source of type adversary has associated characteristics of capabilities, intent, and targeting, which are directly assessable characteristics).

Organizations can choose to specify ____________________ as: (i) single events, actions, or circumstances; or (ii) sets and/or sequences of related actions, activities, and/or circumstances.

Threat shifting can occur in one or more domains including: (i) the ____________ domain (e.g., a delay in an attack or illegal entry to conduct additional surveillance); (ii) the ______________ domain (e.g., selecting a different target that is not as well protected); (iii) the ________________ domain (e.g., adding resources to the attack in order to reduce uncertainty or overcome safeguards and/or countermeasures); or (iv) the ____________________________________ domain (e.g., changing the attack weapon or attack path).

Most information system vulnerabilities can be associated with _________________________ that either have not been applied (either intentionally or unintentionally), or have been applied, but retain some weakness.

_____________________________ are not identified only within information systems. Viewing information systems in a broader context, _____________________________ can be found in organizational governance structures (e.g., the lack of effective risk management strategies and adequate risk framing, poor intra-agency communications, inconsistent decisions about relative priorities of missions/business functions, or misalignment of enterprise architecture to support mission/business activities). _______________________ can also be found in external relationships (e.g., dependencies on particular energy sources, supply chains, information technologies, and telecommunications providers), mission/business processes (e.g., poorly defined processes or processes that are not risk-aware), and enterprise/information security architectures (e.g., poor architectural decisions resulting in lack of diversity or resiliency in organizational information systems).

The ___________________ of a vulnerability is an assessment of the relative importance of mitigating/remediating the vulnerability. The __________________ can be determined by the extent of the potential adverse impact if such a vulnerability is exploited by a threat source. Thus, the _________________of vulnerabilities, in general, is context-dependent.

NIST Special Publication _____________ provides guidance on vulnerabilities at all three tiers in the risk management hierarchy and the potential adverse impact that can occur if threats exploit such vulnerabilities.

_______________ materialize as a result of a series of threat events, each of which takes advantage of one or more vulnerabilities.

A _____________________ tells a story, and hence is useful for risk communication as well as for analysis.

The _____________________________________ combines an estimate of the likelihood that the threat event will be initiated with an estimate of the likelihood of impact (i.e., the likelihood that the threat event results in adverse impacts).

For adversarial threats, an assessment of likelihood of occurrence is typically based on: (i) adversary _____________; (ii) adversary ________________; and (iii) adversary ________________________.

For other than adversarial threat events, the likelihood of occurrence is estimated using historical __________________, empirical _____________, or other factors.

The likelihood that a threat event will be initiated or will occur is assessed with respect to a specific ________________________.

The likelihood of threat occurrence can also be based on the state of the _____________________________.

The likelihood of impact addresses the ____________________ (or possibility) that the threat event will result in an adverse impact, regardless of the magnitude of harm that can be expected.

The concept of ________________________ condition is also related to the term susceptibility or exposure. Organizations are not susceptible to risk (or exposed to risk) if a threat cannot exploit a vulnerability to cause adverse impact.

__________________________________ pairing (i.e., establishing a one-to-one relationship between threats and vulnerabilities) may be undesirable when assessing likelihood at the mission/business function level, and in many cases, can be problematic even at the information system level due to the potentially large number of threats and vulnerabilities. This approach typically drives the level of detail in identifying threat events and vulnerabilities, rather than allowing organizations to make effective use of threat information and/or to identify threats at a level of detail that is meaningful.

In certain situations, the most effective way to reduce mission/business risk attributable to information security risk is to _________________ the mission/business processes so there are viable work-arounds when information systems are compromised. Using the concept of ______________________ may help organizations overcome some of the limitations of threat-vulnerability pairing (i.e., establishing a one-to-one relationship between threats and vulnerabilities).

Organizations may explicitly define how established __________________________ guide the identification of high-value assets and the potential adverse impacts to organizational stakeholders. If such information is not defined, ________________________________ related to identifying targets of threat sources and associated organizational impacts can typically be derived from ____________________________________.

__________ is a function of the likelihood of a threat event's occurrence and potential adverse impact should the event occur.

For purposes of risk ____________________________, risk is generally grouped according to the types of adverse impacts (and possibly the time frames in which those impacts are likely to be experienced).

Organizations may use risk ______________________ to roll up several discrete or lower-level risks into a more general or higher-level risk. Organizations may also use risk ________________________ to efficiently manage the scope and scale of risk assessments involving multiple information systems and multiple mission/business processes with specified relationships and dependencies among those systems and processes.

Risk ________________________, conducted primarily at Tiers 1 and 2 and occasionally at Tier 3, assesses the overall risk to organizational operations, assets, and individuals given the set of discrete risks.

In general, for ______________ risks (e.g., the risk associated with a single information system supporting a well-defined mission/business process), the worst-case impact establishes an upper bound for the overall risk to organizational operations, assets, and individuals.29 One issue for risk ____________________________ is that this upper bound for risk may fail to apply.

When aggregating risk, discrete risks can be ______________ (in a qualitative sense) or __________________ (in a quantitative sense) either in a positive or negative manner (i.e., finding relationships among risks that increase or decrease the likelihood of any specific risk materializing). This can be done at Tiers 1, 2, or 3.

___________, and its contributing factors, can be assessed in a variety of ways, including quantitatively, qualitatively, or semi-quantitatively.

_______________________ assessments most effectively supports cost-benefit analyses of alternative risk responses or courses of action. However, the meaning of these results may not always be clear and may require interpretation and explanation—particularly to explain the assumptions and constraints on using the results.

The benefits of ________________________ assessments (in terms of the rigor, repeatability, and reproducibility of assessment results) can, in some cases, be outweighed by the costs (in terms of the expert time and effort and the possible deployment and use of tools required to make such assessments).

________________________ assessments support communicating risk results to decision makers. However, the range of values in these assessments is comparatively small in most cases, making the relative prioritization or comparison within the set of reported risks difficult. Additionally, unless each value is very clearly defined or is characterized by meaningful examples, different experts relying on their individual experiences could produce significantly different assessment results.

The repeatability and reproducibility of ______________________ assessments are increased by the annotation of assessed values (e.g., this value is high because of the following reasons) and by the use of tables or other well-defined functions to combine qualitative values.

________________________________ assessments can provide the benefits of quantitative and qualitative assessments. The role of expert judgment in assigning values is more evident than in a purely quantitative approach. Moreover, if the scales or sets of bins provide sufficient granularity, relative prioritization among results is better supported than in a purely qualitative approach.

An analysis approach can be: (i) __________-oriented; (ii) ___________________-oriented; or (iii) _____________________-oriented.30

A _______________________________________ identifies high-value assets and adverse impacts with respect to the loss of integrity or availability. DHS Federal Continuity Directive 2 provides guidance on these at the organization and mission/business process levels of the risk management hierarchy, respectively. NIST Special Publication __________ provides guidance on these at the information system level of the risk management hierarchy.

___________________ analysis techniques (e.g., functional dependency network analysis, attack tree analysis for adversarial threats, fault tree analysis for other types of threats) provide ways to use specific threat events to generate threat scenarios. These analysis techniques can also provide ways to account for situations in which one event can change the likelihood of occurrence for another event. Attack and fault tree analyses, in particular, can generate multiple threat scenarios that are nearly alike, for purposes of determining the levels of risk. With automated modeling and simulation, large numbers of threat scenarios (e.g., attack/fault trees, traversals of functional dependency networks) can be generated. Thus, these analysis techniques include ways to restrict the analysis to define a reasonable subset of all possible threat scenarios.

_________________________________________ determine which risk models, assessment approaches, and analysis approaches to use under varying circumstances.

NIST Special Publication ____________ describes how organizational culture affects risk management.

NIST Special Publication ____________ defines an organization's risk frame as the set of assumptions, constraints, risk tolerances, priorities, and trade-offs that underpin the organization's risk management strategy—establishing a solid foundation for managing risk and bounding its risk-based decisions.

________ assessments support risk response decisions at the different tiers of the risk management hierarchy. These assessments can also inform other risk management activities across the three tiers that are not security-related.

It is important to note that __________________________________ contributes to non-security risks at each tier. Thus, the results of a risk assessment at a given tier serve as inputs to, and are aligned with, non-security risk management activities at that tier. In addition, the results of risk assessments at lower tiers serve as inputs to risk assessments at higher tiers.

At Tier ___, risk assessments support organizational strategies, policies, guidance, and processes for managing risk. However, more realistic and meaningful risk assessments are based on assessments conducted across multiple mission/business lines (i.e., derived primarily from Tier 2 activities). Risk assessments at this Tier take into consideration the identification of mission-essential functions from Continuity of Operations Plans (COOP) prepared by organizations when determining the contribution of Tier 2 risks.

At Tier ____, risk assessments support the determination of mission/business process protection and resiliency requirements, and the allocation of those requirements to the enterprise architecture as part of mission/business segments (that support mission/business processes). This allocation is accomplished through an information security architecture embedded within the enterprise architecture.

Risk management and associated risk assessment activities at Tier ____ are closely aligned with the development of Business Continuity Plans (BCPs). Tier ____ risk assessments focus on mission/business segments, which typically include multiple information systems, with varying degrees of criticality and/or sensitivity with regard to core organizational missions/business functions.

Tier ____ can also focus on information security architecture as a critical component of enterprise architecture to help organizations select common controls inherited by organizational information systems at Tier 3.

The Tier 2 context and the system development life cycle determine the purpose and define the scope of risk assessment activities at Tier ____. While initial risk assessments (i.e., risk assessments performed for the first time, rather than updating prior risk assessments) can be performed at any phase in the system development life cycle, ideally these assessments should be performed in the Initiation phase. Risk assessments are also conducted at later phases in the system development life cycle, updating risk assessment results from earlier phases.

Risk assessment activities can be integrated with the steps in the Risk Management Framework (RMF), as defined in NIST Special Publication 800-37. The RMF, in its system development life cycle approach, operates primarily at Tier ____ with some application at Tiers ____ and ____, for example, in the selection of common controls.