What Are The Steps to Risk Assessment
NIST 800-30 gives us a framework for establishing risk assessment. It divides risk assessment into four core steps. The first step is to frame your risk. This is where we establish a context for your organization. We talk about your assets, your environment, and we talk about the business you do to determine the scope and strategy that gets customized to your organization in particular. Then we assess the risk. This is the actual risk assessment process where we identify threats and vulnerabilities. We talk about internal and external application of vulnerabilities. We talk about possible harm and the likelihood of that harm inside of your organization. This results in a determination of that risk and its potential severity and impact to your operations. Then we respond to that risk assessment. It isn’t enough to just do a risk assessment, we actually have to do something about it. This is where we put in mitigating controls, and we act to ensure that the risks that we identified are potentially lessened in impact or likelihood. But then we have to monitor. It is insufficient to assess risk and build a set of controls and then call it done. You absolutely must keep an eye on the evolving risks around your organization, how those risks change over time, and how good your controls are at addressing the risks that you identified. The monitoring phase takes care of that.