Risk assessment methods are covered in NIST SP 800-30, Risk Management and NIST SP 800-115, Technical Guide to Information Security Testing and Assessment.
NIST SP 800-30 covers a high level view framework of risk assessment methods. As you see in the Risk Assessment Methodology Flowchart.
More details on each step in the Risk Assessment method Flow chart.. Its an important aspect of Risk Management as a whole so its talked about over and over on this site.
NIST SP 800-115, Technical Guide to Information Security Testing and Assessment, is are the tasks for assessing security controls so it is an important part of risk assessment methods. You have to know the characteristics of the system (step one of the NIST 800-30, Risk Assessment methods) to do information security testing and assessment.
Information security testing in 800-115 uses 3 types of assessment methods to analyze the effectiveness on security controls (Step 4 of Risk Assessment Method flow chart) and possibly identify vulnerabilities (Step 3):
testing, examination, and interviewing
Testing = process of exercising one or more assessment objects under specific conditions to compare actual and expected behaviors.
Examination = process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence.
Interviewing = the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or identify the location of evidence.
–NIST SP 800-115
Leave a Reply
You must be logged in to post a comment.