Select Page

Expert answer:Web Security Review Assigment

by | Feb 9, 2025 | Programming | 0 comments

  

Solved by verified expert:Queston is attached.
sp800_30_r1.pdf

week_2_assignment_review__1_.doc

Unformatted Attachment Preview

NIST Special Publication 800-30
Revision 1
Guide for Conducting
Risk Assessments
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
INFORMATION
SECURITY
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930
September 2012
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary for Standards and Technology
and Director
Special Publication 800-30
Guide for Conducting Risk Assessments
________________________________________________________________________________________________
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) promotes the U.S. economy and public welfare by providing technical
leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test
methods, reference data, proof of concept implementations, and technical analyses to advance the
development and productive use of information technology. ITL’s responsibilities include the
development of management, administrative, technical, and physical standards and guidelines for
the cost-effective security and privacy of other than national security-related information in
federal information systems. The Special Publication 800-series reports on ITL’s research,
guidelines, and outreach efforts in information system security, and its collaborative activities
with industry, government, and academic organizations.
PAGE ii

Special Publication 800-30
Guide for Conducting Risk Assessments
________________________________________________________________________________________________
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is
responsible for developing information security standards and guidelines, including minimum
requirements for federal information systems, but such standards and guidelines shall not apply to
national security systems without the express approval of appropriate federal officials exercising
policy authority over such systems. This guideline is consistent with the requirements of the
Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency
Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections.
Supplemental information is provided in Circular A-130, Appendix III, Security of Federal
Automated Information Resources.
Nothing in this publication should be taken to contradict the standards and guidelines made
mandatory and binding on federal agencies by the Secretary of Commerce under statutory
authority. Nor should these guidelines be interpreted as altering or superseding the existing
authorities of the Secretary of Commerce, Director of the OMB, or any other federal official.
This publication may be used by nongovernmental organizations on a voluntary basis and is not
subject to copyright in the United States. Attribution would, however, be appreciated by NIST.
NIST Special Publication 800-30, 95 pages
(September 2012)
CODEN: NSPUE2
Certain commercial entities, equipment, or materials may be identified in this document in order to
describe an experimental procedure or concept adequately. Such identification is not intended to imply
recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or
equipment are necessarily the best available for the purpose.
There may be references in this publication to other publications currently under development by NIST
in accordance with its assigned statutory responsibilities. The information in this publication, including
concepts and methodologies, may be used by federal agencies even before the completion of such
companion publications. Thus, until each publication is completed, current requirements, guidelines,
and procedures, where they exist, remain operative. For planning and transition purposes, federal
agencies may wish to closely follow the development of these new publications by NIST.
Organizations are encouraged to review all draft publications during public comment periods and
provide feedback to NIST. All NIST publications are available at http://csrc.nist.gov/publications.
Comments on this publication may be submitted to:
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930
Electronic mail: sec-cert@nist.gov
PAGE iii
Special Publication 800-30
Guide for Conducting Risk Assessments
________________________________________________________________________________________________
Compliance with NIST Standards and Guidelines
In accordance with the provisions of FISMA, 1 the Secretary of Commerce shall, on the basis of
standards and guidelines developed by NIST, prescribe standards and guidelines pertaining to
federal information systems. The Secretary shall make standards compulsory and binding to the
extent determined necessary by the Secretary to improve the efficiency of operation or security of
federal information systems. Standards prescribed shall include information security standards
that provide minimum information security requirements and are otherwise necessary to improve
the security of federal information and information systems.

Federal Information Processing Standards (FIPS) are approved by the Secretary of
Commerce and issued by NIST in accordance with FISMA. FIPS are compulsory and
binding for federal agencies. 2 FISMA requires that federal agencies comply with these
standards, and therefore, agencies may not waive their use.

Special Publications (SPs) are developed and issued by NIST as recommendations and
guidance documents. For other than national security programs and systems, federal
agencies must follow those NIST Special Publications mandated in a Federal Information
Processing Standard. FIPS 200 mandates the use of Special Publication 800-53, as
amended. In addition, OMB policies (including OMB Reporting Instructions for FISMA
and Agency Privacy Management) state that for other than national security programs
and systems, federal agencies must follow certain specific NIST Special Publications. 3

Other security-related publications, including interagency reports (NISTIRs) and ITL
Bulletins, provide technical and other information about NIST’s activities. These
publications are mandatory only when specified by OMB.

Compliance schedules for NIST security standards and guidelines are established by
OMB in policies, directives, or memoranda (e.g., annual FISMA Reporting Guidance).4
1
The E-Government Act (P.L. 107-347) recognizes the importance of information security to the economic and
national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information
Security Management Act (FISMA), emphasizes the need for organizations to develop, document, and implement an
organization-wide program to provide security for the information systems that support its operations and assets.
2
The term agency is used in this publication in lieu of the more general term organization only in those circumstances
where its usage is directly related to other source documents such as federal legislation or policy.
3
While federal agencies are required to follow certain specific NIST Special Publications in accordance with OMB
policy, there is flexibility in how agencies apply the guidance. Federal agencies apply the security concepts and
principles articulated in the NIST Special Publications in accordance with and in the context of the agency’s missions,
business functions, and environment of operation. Consequently, the application of NIST guidance by federal agencies
can result in different security solutions that are equally acceptable, compliant with the guidance, and meet the OMB
definition of adequate security for federal information systems. Given the high priority of information sharing and
transparency within the federal government, agencies also consider reciprocity in developing their information security
solutions. When assessing federal agency compliance with NIST Special Publications, Inspectors General, evaluators,
auditors, and assessors consider the intent of the security concepts and principles articulated within the specific
guidance document and how the agency applied the guidance in the context of its mission/business responsibilities,
operational environment, and unique organizational conditions.
4
Unless otherwise stated, all references to NIST publications in this document (i.e., Federal Information Processing
Standards and Special Publications) are to the most recent version of the publication.
PAGE iv
Special Publication 800-30
Guide for Conducting Risk Assessments
________________________________________________________________________________________________
Acknowledgements
This publication was developed by the Joint Task Force Transformation Initiative Interagency
Working Group with representatives from the Civil, Defense, and Intelligence Communities in an
ongoing effort to produce a unified information security framework for the federal government.
The National Institute of Standards and Technology wishes to acknowledge and thank the senior
leaders from the Departments of Commerce and Defense, the Office of the Director of National
Intelligence, the Committee on National Security Systems, and the members of the interagency
technical working group whose dedicated efforts contributed significantly to the publication. The
senior leaders, interagency working group members, and their organizational affiliations include:
Department of Defense
Office of the Director of National Intelligence
Teresa M. Takai
DoD Chief Information Officer
Adolpho Tarasiuk Jr.
Assistant DNI and Intelligence Community
Chief Information Officer
Richard Hale
Deputy Chief Information Officer for Cybersecurity
Charlene Leubecker
Deputy Intelligence Community Chief
Information Officer
Paul Grant
Director, Cybersecurity Policy
Catherine A. Henson
Director, Data Management
Dominic Cussatt
Deputy Director, Cybersecurity Policy
Greg Hall
Chief, Risk Management and Information
Security Programs Division
Kurt Eleam
Policy Advisor
National Institute of Standards and Technology
Committee on National Security Systems
Charles H. Romine
Director, Information Technology Laboratory
Teresa M. Takai
Chair, CNSS
Donna Dodson
Cybersecurity Advisor, Information Technology Laboratory
Richard Spires
Co-Chair, CNSS
Donna Dodson
Chief, Computer Security Division
Dominic Cussatt
CNSS Subcommittee Co-Chair
Ron Ross
FISMA Implementation Project Leader
Jeffrey Wilk
CNSS Subcommittee Co-Chair
Joint Task Force Transformation Initiative Interagency Working Group
Ron Ross
NIST, JTF Leader
Gary Stoneburner
Johns Hopkins APL
Jennifer Fabius
The MITRE Corporation
Kelley Dempsey
NIST
Deborah Bodeau
The MITRE Corporation
Steve Rodrigo
Tenacity Solutions, Inc.
Peter Gouldmann
Department of State
Arnold Johnson
NIST
Peter Williams
Booz Allen Hamilton
Karen Quigg
The MITRE Corporation
Christina Sames
TASC
Christian Enloe
NIST
In addition to the above acknowledgments, a special note of thanks goes to Peggy Himes and
Elizabeth Lennon of NIST for their superb technical editing and administrative support. The
authors also gratefully acknowledge and appreciate the significant contributions from individuals
and organizations in the public and private sectors, both nationally and internationally, whose
thoughtful and constructive comments improved the overall quality, thoroughness, and usefulness
of this publication.
PAGE v
Special Publication 800-30
Guide for Conducting Risk Assessments
________________________________________________________________________________________________
DEVELOPING COMMON INFORMATION SECURITY FOUNDATIONS
COLLABORATION AMONG PUBLIC AND PRIVATE SECTOR ENTITIES
In developing standards and guidelines required by FISMA, NIST consults with other federal agencies
and offices as well as the private sector to improve information security, avoid unnecessary and costly
duplication of effort, and ensure that NIST publications are complementary with the standards and
guidelines employed for the protection of national security systems. In addition to its comprehensive
public review and vetting process, NIST is collaborating with the Office of the Director of National
Intelligence (ODNI), the Department of Defense (DoD), and the Committee on National Security
Systems (CNSS) to establish a common foundation for information security across the federal
government. A common foundation for information security will provide the Intelligence, Defense, and
Civil sectors of the federal government and their contractors, more uniform and consistent ways to
manage the risk to organizational operations and assets, individuals, other organizations, and the
Nation that results from the operation and use of information systems. A common foundation for
information security will also provide a strong basis for reciprocal acceptance of security authorization
decisions and facilitate information sharing. NIST is also working with public and private sector
entities to establish specific mappings and relationships between the security standards and guidelines
developed by NIST and the International Organization for Standardization and International
Electrotechnical Commission (ISO/IEC).
PAGE vi
Special Publication 800-30
Guide for Conducting Risk Assessments
________________________________________________________________________________________________
Table of Contents
CHAPTER ONE INTRODUCTION ……………………………………………………………………………… 1
1.1
1.2
1.3
1.4
PURPOSE AND APPLICABILITY ……………………………………………………………………………………..
TARGET AUDIENCE……………………………………………………………………………………………………
RELATED PUBLICATIONS …………………………………………………………………………………………….
ORGANIZATION OF THIS SPECIAL PUBLICATION………………………………………………………………..
2
2
3
3
CHAPTER TWO THE FUNDAMENTALS ………………………………………………………………………. 4
2.1
2.2
2.3
2.4
RISK MANAGEMENT PROCESS …………………………………………………………………………………….. 4
RISK ASSESSMENT …………………………………………………………………………………………………… 5
KEY RISK CONCEPTS ………………………………………………………………………………………………… 6
APPLICATION OF RISK ASSESSMENTS …………………………………………………………………………. 17
CHAPTER THREE THE PROCESS ………………………………………………………………………….. 23
3.1
3.2
3.3
3.4
PREPARING FOR THE RISK ASSESSMENT ……………………………………………………………………..
CONDUCTING THE RISK ASSESSMENT ………………………………………………………………………….
COMMUNICATING AND SHARING RISK ASSESSMENT INFORMATION ……………………………………..
MAINTAINING THE RISK ASSESSMENT ………………………………………………………………………….
24
29
37
38
APPENDIX A REFERENCES ……………………………………………………………………………….. A-1
APPENDIX B GLOSSARY …………………………………………………………………………………… B-1
APPENDIX C ACRONYMS ………………………………………………………………………………….. C-1
APPENDIX D THREAT SOURCES …………………………………………………………………………. D-1
APPENDIX E THREAT EVENTS ……………………………………………………………………………. E-1
APPENDIX F VULNERABILITIES AND PREDISPOSING CONDITIONS ……………………………….. F-1
APPENDIX G LIKELIHOOD OF OCCURRENCE ………………………………………………………….. G-1
APPENDIX H IMPACT ……………………………………………………………………………………….. H-1
APPENDIX I
RISK DETERMINATION………………………………………………………………………..I-1
APPENDIX J INFORMING RISK RESPONSE ……………………………………………………………… J-1
APPENDIX K RISK ASSESSMENT REPORTS ……………………………………………………………. K-1
APPENDIX L SUMMARY OF TASKS ………………………………………………………………………..L-1
PAGE vii
Special Publication 800-30
Guide for Conducting Risk Assessments
________________________________________________________________________________________________
Prologue
“… Through the process of risk management, leaders must consider risk to U.S. interests from
adversaries using cyberspace to their advantage and from our own efforts to employ the global
nature of cyberspace to achieve objectives in military, intelligence, and business operations…”
“… For operational plans development, the combination of threats, vulnerabilities, and impacts
must be evaluated in order to identify important trends and decide where effort should be applied
to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess,
coordinate, and deconflict all cyberspace operations…”
“… Leaders at all levels are accountable for ensuring readiness and security to the same degree
as in any other domain…”
— THE NATIONAL STRATEGY FOR CYBERSPACE OPERATIONS
OFFICE OF THE CHAIRMAN, JOINT CHIEFS OF STAFF, U.S. DEPARTMENT OF DEFENSE
PAGE viii
Special Publication 800-30
Guide for Conducting Risk Assessments
________________________________________________________________________________________________
CAUTIONARY NOTES
SCOPE AND APPLICABILITY OF RISK ASSESSMENTS

Risk assessments are a key part of effective risk management and facilitate decision making at all
three tiers in the risk management hierarchy including the organization level, mission/business
process level, and information system level.

Because risk management is ongoing, risk assessments are conducted throughout the system
development life cycle, from pre-system acquisition (i.e., material solution analysis and technology
development), through system acquisition (i.e., engineering/manufacturing development and
production/deployment), and on into sustainment (i.e., operations/support).

There are no specific requirements with regard to: (i) the formality, rigor, or level of detail that
characterizes any particular risk assessment; (ii) the methodologies, tools, and techniques used to
conduct such risk assessments; or (iii) the format and content of assessment results and any
associated reporting mechanisms. Organizations have maximum flexibility on how risk assessments
are conducted and are encouraged to apply the guidance in this document so that the various needs
of organizations can be addressed and the risk assessment activities can be integrated into broader
organizational risk management processes.

Organizations are also cautioned that risk assessments are often not precise instruments of
measurement and reflect: (i) the limitations of the specific assessment methodologies, tools, and
techniques employed; (ii) the subjectivity, quality, and trustw …
Purchase answer to see full
attachment

Order a plagiarism free paper now. We do not use AI. Use the code SAVE15 to get a 15% Discount

Looking for help with your ASSIGNMENT? Our paper writing service can help you achieve higher grades and meet your deadlines.

Why order from us

We offer plagiarism-free content

We don’t use AI

Confidentiality is guaranteed

We guarantee A+ quality

We offer unlimited revisions

Submit a Comment

Your email address will not be published. Required fields are marked *