Understanding NIST SP 800-39

The NIST 800-39 series tells us that risk assessment can be performed organizationally- across your entire enterprise. Additional guidance from the rest of the 30 series under NIST tells us that risk assessment can be performed across three key areas. First, tier one, we talk about organizational risk. This is assessment that goes against your strategy, your governing policies, and gives you guidance and processes for managing global risk across your organization. Tier two brings us to the mission and business process level of managing risk. This is where we begin to use risk assessment to inform and guide decisions on whether, how, and when you use your information systems for specific business processes. How do you do your business? How do you deliver your services to your customers? And how do you get paid for the things that you do and what threats can impact the service delivery chain? Tier three deals with the information system level. This goes down into the design of the very systems that deliver the services that we just talked about. This is about design, implementation, and operational decisions on a fundamental level that drives your organization operation.  

Related Videos