NIST SP 800-30 is a standard developed by the National Institute of Standards and Technology. Published as a special document formulated for information security risk assessment, it pertains especially to IT systems.
The NIST SP 800-30 document is a recommendatory guideline for securing IT infrastructure from a purely technical perspective. NIST SP 800-30 was one of the first risk assessment standards, and most other standards are influenced by it. It has been widely used for infosec risk assessment globally, and is relevant to any business with an IT component.
Risk assessment and NIST SP 800-30
NIST SP 800-30 looks at securing the infrastructure on which the data resides. Here, organizational risks or business requirements are not a yardstick for measuring risk, as with ISO 27005 or OCTAVE. Risk assessment under NIST SP 800-30 involves nine steps in three distinct stages:
1. System characterization
NIST SP 800-30 is thorough, when it comes to system characterization. Starting with the hardware, systems are characterized by software and system interfaces. Next, the data residing on the system and the people who have access to it are noted. Finally, the system’s objectives, boundaries and functions are defined.
Another component here is the identification of critical data and its sensitivity, which helps in establishing a perspective for identifying threats. This is similar to information gathering and context establishment under OCTAVE and ISO 27005, respectively.
2. Threat identification
In NIST SP 800-30, the attack history is reviewed and correlated with intelligence from monitoring agencies to establish threat vectors. A threat statement is prepared for the system, similar to threat scenarios under OCTAVE.
3. Vulnerability identification
Vulnerability identification is the next step under NIST SP 800-30. Previous risk assessments, if any, are reviewed and audit comments from previous auditors’ logs are incorporated. Security requirements are then mapped against the results of security tests on the infrastructure.
NIST SP 800-30 draws out vulnerabilities in each defined system boundary. One of the strengths of NIST SP 800-30 is that it allows for mapping of vulnerabilities — quantifiable in technical terms — to the context of each security requirement.
4. Control analysis
Post vulnerability identification, NIST SP 800-30 analyzes controls, starting with existing controls. Additional controls are defined as required. This yields a comprehensive list of planned and existing controls.
Since NIST SP 800-30 is a technical risk assessment, organizational vulnerabilities and controls only come into play after the risks inherent in the IT infrastructure are addressed, unlike in ISO 27005 where existing controls precede vulnerability analysis. In NIST SP 800-30, risks to the IT infrastructure need to be identified from the ground up, before incorporating mitigation afforded by existing controls.
5: Likelihood determination
The first four steps are critical for establishing the infrastructure’s weaknesses. Next is the determination of likelihood of threats actually materializing, a process similar to preparing threat profiles under OCTAVE.
Starting with an analysis of the potential sources of threats and motivation behind them, the capacity of these threats to compromise the given system and the associated vulnerability, are identified. Existing controls are factored in to determine likelihood of incidents. Each threat is given a likelihood rating.
6: Impact analysis
The next step under NIST SP 800-30 is impact analysis. It measures impact to the business, as well as losses of confidentiality, integrity and availability (CIA). This is used to determine asset and data criticality, after measurement of established impacts.
7: Risk determination
Threat probability and the magnitude of impacts are correlated with adequacy of controls, to determine a level of risk. This level is quantified into a risk score or a risk rating.
Steps 8 & 9: Control recommendations and risk documentation
The final control recommendations using the NIST SP 800-30 standard are proposed, and a risk assessment report is prepared from earlier documented results. Control recommendations could pertain either to reducing the likelihood of a threat, or to mitigation of impact to reduce the risk score.
NIST SP 800-30 and the competition
Unlike ISO 27005 and OCTAVE, NIST SP 800-30 cannot be used for organizational risk assessment. There is no asset identification in NIST SP 800-30. As such, it focuses only on a specific infrastructure and its boundaries at a time.
While ISO 27005 is influenced by NIST SP 800-30, unlike ISO 27005 there is only one way that risk can be calculated under NIST SP 800-30. ISO 27005 allows for different computational methods, while NIST SP 800-30 is highly prescriptive, since the objective is to perform a technical risk analysis of the core IT infrastructure.
About the author: Dharshan Shanthamurthy is a director at SISA Information Security and a risk assessment specialist at SMART-RA.COM. Trained at Software Engineering Institute - Carnegie Mellon University, Dharshan carries a host of security certifications. He can be reached at firstname.lastname@example.org.
(As told to Varun Haran)
Please send your feedback and/or comments to vharan at techtarget dot com. You can also subscribe to our twitter feed at @SearchSecIN
This was first published in August 2011