Risk Management Guide for
Information Technology Systems

Recommendations of the National Institute of
Standards and Technology

Gary Stoneburner, Alice Goguen, and Alexis Feringa

Special Publication 800-30

SP 800-30 Page ii

C O M P U T E R S E C U R I T Y

Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930

1Booz Allen Hamilton Inc.
3190 Fairview Park Drive
Falls Church, VA 22042

July 2002

U.S. DEPARTMENT OF COMMERCE
Donald L. Evans, Secretary

TECHNOLOGY ADMINISTRATION
Phillip J. Bond, Under Secretary for Technology

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Arden L. Bement, Jr., Director

NIST Special Publication 800-30 Risk Management Guide for
Information Technology Systems

Recommendations of the
National Institute of Standards and Technology

Gary Stoneburner, Alice Goguen1, and
Alexis Feringa1

SP 800-30 Page iii

Reports on Computer Systems Technology

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
promotes the U.S. economy and public welfare by providing technical leadership for the nation?s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof-of-
concept implementations, and technical analyses to advance the development and productive use of
information technology. ITL?s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in federal computer systems. The Special Publication 800-series
reports on ITL?s research, guidance, and outreach efforts in computer security, and its collaborative
activities with industry, government, and academic organizations.

National Institute of Standards and Technology Special Publication 800-30
Natl. Inst. Stand. Technol. Spec. Publ. 800-30, 54 pages (July 2002)

CODEN: NSPUE2

Certain commercial entities, equipment, or materials may be identified in this document in order to describe an
experimental procedure or concept adequately. Such identification is not intended to imply recommendation or
endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities,

materials, or equipment are necessarily the best available for the purpose.

SP 800-30 Page iv

Acknowledgements

The authors, Gary Stoneburner, from NIST and Alice Goguen and Alexis Feringa from Booz
Allen Hamilton wish to express their thanks to their colleagues at both organizations who
reviewed drafts of this document. In particular, Timothy Grance, Marianne Swanson, and Joan
Hash from NIST and Debra L. Banning, Jeffrey Confer, Randall K. Ewell, and Waseem
Mamlouk from Booz Allen provided valuable insights that contributed substantially to the
technical content of this document. Moreover, we gratefully acknowledge and appreciate the
many comments from the public and private sectors whose thoughtful and constructive
comments improved the quality and utility of this publication.

SP 800-30 Page iv

TABLE OF CONTENTS

1. INTRODUCTION…………………………………………………………………………………………………………………………….1
1.1 AUTHORITY ……………………………………………………………………………………………………………………………….1
1.2 PURPOSE……………………………………………………………………………………………………………………………………1
1.3 OBJECTIVE ………………………………………………………………………………………………………………………………..2
1.4 TARGET AUDIENCE …………………………………………………………………………………………………………………….2
1.5 RELATED REFERENCES………………………………………………………………………………………………………………..3
1.6 GUIDE STRUCTURE……………………………………………………………………………………………………………………..3

2. RISK MANAGEMENT OVERVIEW ……………………………………………………………………………………………….4
2.1 IMPORTANCE OF RISK MANAGEMENT ……………………………………………………………………………………………4
2.2 INTEGRATION OF RISK MANAGEMENT INTO SDLC ………………………………………………………………………….4
2.3 KEY ROLES ……………………………………………………………………………………………………………………………….6

3. RISK ASSESSMENT ……………………………………………………………………………………………………………………….8
3.1 STEP 1: SYSTEM CHARACTERIZATION …………………………………………………………………………………………10

3.1.1 System-Related Information………………………………………………………………………………………………….10
3.1.2 Information-Gathering Techniques ………………………………………………………………………………………..11

3.2 STEP 2: THREAT IDENTIFICATION……………………………………………………………………………………………….12
3.2.1 Threat-Source Identification ………………………………………………………………………………………………….12
3.2.2 Motivation and Threat Actions ………………………………………………………………………………………………13

3.3 STEP 3: VULNERABILITY IDENTIFICATION……………………………………………………………………………………15
3.3.1 Vulnerability Sources……………………………………………………………………………………………………………16
3.3.2 System Security Testing ………………………………………………………………………………………………………..17
3.3.3 Development of Security Requirements Checklist……………………………………………………………………..18

3.4 STEP 4: CONTROL ANALYSIS……………………………………………………………………………………………………..19
3.4.1 Control Methods ………………………………………………………………………………………………………………….20
3.4.2 Control Categories ………………………………………………………………………………………………………………20
3.4.3 Control Analysis Technique…………………………………………………………………………………………………..20

3.5 STEP 5: LIKELIHOOD DETERMINATION………………………………………………………………………………………..21
3.6 STEP 6: IMPACT ANALYSIS ………………………………………………………………………………………………………..21
3.7 STEP 7: RISK DETERMINATION …………………………………………………………………………………………………..24

3.7.1 Risk-Level Matrix…………………………………………………………………………………………………………………24
3.7.2 Description of Risk Level ………………………………………………………………………………………………………25

3.8 STEP 8: CONTROL RECOMMENDATIONS ………………………………………………………………………………………26
3.9 STEP 9: RESULTS DOCUMENTATION……………………………………………………………………………………………26

4. RISK MITIGATION ………………………………………………………………………………………………………………………27
4.1 RISK MITIGATION OPTIONS ………………………………………………………………………………………………………..27
4.2 RISK MITIGATION STRATEGY ……………………………………………………………………………………………………..28
4.3 APPROACH FOR CONTROL IMPLEMENTATION………………………………………………………………………………..29
4.4 CONTROL CATEGORIES ……………………………………………………………………………………………………………..32

4.4.1 Technical Security Controls…………………………………………………………………………………………………..32
4.4.2 Management Security Controls………………………………………………………………………………………………35
4.4.3 Operational Security Controls ……………………………………………………………………………………………….36

4.5 COST-BENEFIT ANALYSIS ………………………………………………………………………………………………………….37
4.6 RESIDUAL RISK ………………………………………………………………………………………………………………………..39

5. EVALUATION AND ASSESSMENT………………………………………………………………………………………………41
5.1 GOOD SECURITY PRACTICE ………………………………………………………………………………………………………..41
5.2 KEYS FOR SUCCESS …………………………………………………………………………………………………………………..41

Appendix A?Sample Interview Questions ………………………………………………………………………………………………. A-1

Appendix B?Sample Risk Assessment Report Outline ……………………………………………………………………………….B-1

SP 800-30 Page v

Appendix C?Sample Implementation Safeguard Plan Summary Table …………………………………………………………C-1

Appendix D?Acronyms ………………………………………………………………………………………………………………………… D-1

Appendix E?Glossary…………………………………………………………………………………………………………………………….E-1

Appendix F?References…………………………………………………………………………………………………………………………. F-1

LIST OF FIGURES

Figure 3-1 Risk Assessment Methodology Flowchart ………………………………………………………………………………………9

Figure 4-1 Risk Mitigation Action Points……………………………………………………………………………………………………..28

Figure 4-2 Risk Mitigation Methodology Flowchart………………………………………………………………………………………31

Figure 4-3 Technical Security Controls………………………………………………………………………………………………………..33

Figure 4-4 Control Implementation and Residual Risk …………………………………………………………………………………..40

LIST OF TABLES

Table 2-1 Integration of Risk Management to the SDLC ………………………………………………………………………………….5

Table 3-1 Human Threats: Threat-Source, Motivation, and Threat Actions ………………………………………………………14

Table 3-2 Vulnerability/Threat Pairs ……………………………………………………………………………………………………………15

Table 3-3 Security Criteria …………………………………………………………………………………………………………………………18

Table 3-4 Likelihood Definitions ………………………………………………………………………………………………………………..21

Table 3-5 Magnitude of Impact Definitions ………………………………………………………………………………………………….23

Table 3-6 Risk-Level Matrix ………………………………………………………………………………………………………………………25

Table 3-7 Risk Scale and Necessary Actions ………………………………………………………………………………………………..25

SP 800-30 Page 1

1. INTRODUCTION

Every organization has a mission. In this digital era, as organizations use automated information
technology (IT) systems1 to process their information for better support of their missions, risk
management plays a critical role in protecting an organization?s information assets, and therefore
its mission, from IT-related risk.

An effective risk management process is an important component of a successful IT security
program. The principal goal of an organization?s risk management process should be to protect
the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk
management process should not be treated primarily as a technical function carried out by the IT
experts who operate and manage the IT system, but as an essential management function of the
organization.

1.1 AUTHORITY

This document has been developed by NIST in furtherance of its statutory responsibilities under
the Computer Security Act of 1987 and the Information Technology Management Reform Act of
1996 (specifically 15 United States Code (U.S.C.) 278 g-3 (a)(5)). This is not a guideline within
the meaning of 15 U.S.C 278 g-3 (a)(3).

These guidelines are for use by Federal organizations which process sensitive information.
They are consistent with the requirements of OMB Circular A-130, Appendix III.

The guidelines herein are not mandatory and binding standards. This document may be used by
non-governmental organizations on a voluntary basis. It is not subject to copyright.

Nothing in this document should be taken to contradict standards and guidelines made
mandatory and binding upon Federal agencies by the Secretary of Commerce under his statutory
authority. Nor should these guidelines be interpreted as altering or superseding the existing
authorities of the Secretary of Commerce, the Director of the Office of Management and Budget,
or any other Federal official.

1.2 PURPOSE

Risk is the net negative impact of the exercise of a vulnerability, considering both the probability
and the impact of occurrence. Risk management is the process of identifying risk, assessing risk,
and taking steps to reduce risk to an acceptable level. This guide provides a foundation for the
development of an effective risk management program, containing both the definitions and the
practical guidance necessary for assessing and mitigating risks identified within IT systems. The
ultimate goal is to help organizations to better manage IT-related mission risks.

1 The term ?IT system? refers to a general support system (e.g., mainframe computer, mid-range computer, local

area network, agencywide backbone) or a major application that can run on a general support system and whose
use of information resources satisfies a specific set of user requirements.

SP 800-30 Page 2

In addition, this guide provides information on the selection of cost-effective security controls.2
These controls can be used to mitigate risk for the better protection of mission-critical
information and the IT systems that process, store, and carry this information.

Organizations may choose to expand or abbreviate the comprehensive processes and steps
suggested in this guide and tailor them to their environment in managing IT-related mission
risks.

1.3 OBJECTIVE

The objective of performing risk management is to enable the organization to accomplish its
mission(s) (1) by better securing the IT systems that store, process, or transmit organizational
information; (2) by enabling management to make well-informed risk management decisions to
justify the expenditures that are part of an IT budget; and (3) by assisting management in
authorizing (or accrediting) the IT systems3 on the basis of the supporting documentation
resulting from the performance of risk management.

1.4 TARGET AUDIENCE

This guide provides a common foundation for experienced and inexperienced, technical, and
non-technical personnel who support or use the risk management process for their IT systems.
These personnel include?

? Senior management, the mission owners, who make decisions about the IT security
budget.

? Federal Chief Information Officers, who ensure the implementation of risk
management for agency IT systems and the security provided for these IT systems

? The Designated Approving Authority (DAA), who is responsible for the final
decision on whether to allow operation of an IT system

? The IT security program manager, who implements the security program

? Information system security officers (ISSO), who are responsible for IT security

? IT system owners of system software and/or hardware used to support IT functions.

? Information owners of data stored, processed, and transmitted by the IT systems

? Business or functional managers, who are responsible for the IT procurement process

? Technical support personnel (e.g., network, system, application, and database
administrators; computer specialists; data security analysts), who manage and
administer security for the IT systems

? IT system and application programmers, who develop and maintain code that could
affect system and data integrity

2 The terms ?safeguards? and ?controls? refer to risk-reducing measures; these terms are used interchangeably in

this guidance document.
3 Office of Management and Budget?s November 2000 Circular A-130, the Computer Security Act of 1987, and the

Government Information Security Reform Act of October 2000 require that an IT system be authorized prior to
operation and reauthorized at least every 3 years thereafter.

SP 800-30 Page 3

? IT quality assurance personnel, who test and ensure the integrity of the IT systems
and data

? Information system auditors, who audit IT systems

? IT consultants, who support clients in risk management.

1.5 RELATED REFERENCES

This guide is based on the general concepts presented in National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-27, Engineering Principles for IT Security,
along with the principles and practices in NIST SP 800-14, Generally Accepted Principles and
Practices for Securing Information Technology Systems. In addition, it is consistent with the
policies presented in Office of Management and Budget (OMB) Circular A-130, Appendix III,
?Security of Federal Automated Information Resources?; the Computer Security Act (CSA) of
1987; and the Government Information Security Reform Act of October 2000.

1.6 GUIDE STRUCTURE

The remaining sections of this guide discuss the following:

? Section 2 provides an overview of risk management, how it fits into the system
development life cycle (SDLC), and the roles of individuals who support and use this
process.

? Section 3 describes the risk assessment methodology and the nine primary steps in
conducting a risk assessment of an IT system.

? Section 4 describes the risk mitigation process, including risk mitigation options and
strategy, approach for control implementation, control categories, cost-benefit
analysis, and residual risk.

? Section 5 discusses the good practice and need for an ongoing risk evaluation and
assessment and the factors that will lead to a successful risk management program.

This guide also contains six appendixes. Appendix A provides sample interview questions.
Appendix B provides a sample outline for use in documenting risk assessment results. Appendix
C contains a sample table for the safeguard implementation plan. Appendix D provides a list of
the acronyms used in this document. Appendix E contains a glossary of terms used frequently in
this guide. Appendix F lists references.

SP 800-30 Page 4

2. RISK MANAGEMENT OVERVIEW

This guide describes the risk management methodology, how it fits into each phase of the SDLC,
and how the risk management process is tied to the process of system authorization (or
accreditation).

2.1 IMPORTANCE OF RISK MANAGEMENT

Risk management encompasses three processes: risk assessment, risk mitigation, and evaluation
and assessment. Section 3 of this guide describes the risk assessment process, which includes
identification and evaluation of risks and risk impacts, and recommendation of risk-reducing
measures. Section 4 describes risk mitigation, which refers to prioritizing, implementing, and
maintaining the appropriate risk-reducing measures recommended from the risk assessment
process. Section 5 discusses the continual evaluation process and keys for implementing a
successful risk management program. The DAA or system authorizing official is responsible for
determining whether the remaining risk is at an acceptable level or whether additional security
controls should be implemented to further reduce or eliminate the residual risk before
authorizing (or accrediting) the IT system for operation.

Risk management is the process that allows IT managers to balance the operational and
economic costs of protective measures and achieve gains in mission capability by protecting the
IT systems and data that support their organizations? missions. This process is not unique to the
IT environment; indeed it pervades decision-making in all areas of our daily lives. Take the case
of home security, for example. Many people decide to have home security systems installed and
pay a monthly fee to a service provider to have these systems monitored for the better protection
of their property. Presumably, the homeowners have weighed the cost of system installation and
monitoring against the value of their household goods and their family?s safety, a fundamental
?mission? need.

The head of an organizational unit must ensure that the organization has the capabilities needed
to accomplish its mission. These mission owners must determine the security capabilities that
their IT systems must have to provide the desired level of mission support in the face of real-
world threats. Most organizations have tight budgets for IT security; therefore, IT security
spending must be reviewed as thoroughly as other management decisions. A well-structured risk
management methodology, when used effectively, can help management identify appropriate
controls for providing the mission-essential security capabilities.

2.2 INTEGRATION OF RISK MANAGEMENT INTO SDLC

Minimizing negative impact on an organization and need for sound basis in decision making are
the fundamental reasons organizations implement a risk management process for their IT
systems. Effective risk management must be totally integrated into the SDLC. An IT system?s
SDLC has five phases: initiation, development or acquisition, implementation, operation or
maintenance, and disposal. In some cases, an IT system may occupy several of these phases at
the same time. However, the risk management methodology is the same regardless of the SDLC
phase for which the assessment is being conducted. Risk management is an iterative process that
can be performed during each major phase of the SDLC. Table 2-1 describes the characteristics

SP 800-30 Page 5

of each SDLC phase and indicates how risk management can be performed in support of each
phase.

Table 2-1 Integration of Risk Management into the SDLC

SDLC Phases Phase Characteristics Support from Risk
Management Activities

Phase 1?Initiation

The need for an IT system is
expressed and the purpose and
scope of the IT system is
documented

? Identified risks are used to
support the development of the
system requirements, including
security requirements, and a
security concept of operations
(strategy)

Phase 2?Development or
Acquisition

The IT system is designed,
purchased, programmed,
developed, or otherwise
constructed

? The risks identified during this
phase can be used to support
the security analyses of the IT
system that may lead to
architecture and design trade-
offs during system
development

Phase 3?Implementation

The system security features
should be configured, enabled,
tested, and verified

? The risk management process
supports the assessment of the
system implementation against
its requirements and within its
modeled operational
environment. Decisions
regarding risks identified must
be made prior to system
operation

Phase 4?Operation or
Maintenance

The system performs its
functions. Typically the system is
being modified on an ongoing
basis through the addition of
hardware and software and by
changes to organizational
processes, policies, and
procedures

? Risk management activities are
performed for periodic system
reauthorization (or
reaccreditation) or whenever
major changes are made to an
IT system in its operational,
production environment (e.g.,
new system interfaces)

Phase 5?Disposal

This phase may involve the
disposition of information,
hardware, and software.
Activities may include moving,
archiving, discarding, or
destroying information and
sanitizing the hardware and
software

? Risk management activities
are performed for system
components that will be
disposed of or replaced to
ensure that the hardware and
software are properly disposed
of, that residual data is
appropriately handled, and that
system migration is conducted
in a secure and systematic
manner

SP 800-30 Page 6

2.3 KEY ROLES

Risk management is a management responsibility. This section describes the key roles of the
personnel who should support and participate in the risk management process.

? Senior Management. Senior management, under the standard of due care and
ultimate responsibility for mission accomplishment, must ensure that the necessary
resources are effectively applied to develop the capabilities needed to accomplish the
mission. They must also assess and incorporate results of the risk assessment activity
into the decision making process. An effective risk management program that
assesses and mitigates IT-related mission risks requires the support and involvement
of senior management.

? Chief Information Officer (CIO). The CIO is responsible for the agency?s IT
planning, budgeting, and performance including its information security components.
Decisions made in these areas should be based on an effective risk management
program.

? System and Information Owners. The system and information owners are
responsible for ensuring that proper controls are in place to address integrity,
confidentiality, and availability of the IT systems and data they own. Typically the
system and information owners are responsible for changes to their IT systems. Thus,
they usually have to approve and sign off on changes to their IT systems (e.g., system
enhancement, major changes to the software and hardware). The system and
information owners must therefore understand their role in the risk management
process and fully support this process.

? Business and Functional Managers. The managers responsible for business
operations and IT procurement process must take an active role in the risk
management process. These managers are the individuals with the authority and
responsibility for making the trade-off decisions essential to mission accomplishment.
Their involvement in the risk management process enables the achievement of proper
security for the IT systems, which, if managed properly, will provide mission
effectiveness with a minimal expenditure of resources.

? ISSO. IT security program managers and computer security officers are responsible
for their organizations? security programs, including risk management. Therefore,
they play a leading role in introducing an appropriate, structured methodology to help
identify, evaluate, and minimize risks to the IT systems that support their
organizations? missions. ISSOs also act as major consultants in support of senior
management to ensure that this activity takes place on an ongoing basis.

? IT Security Practitioners. IT security practitioners (e.g., network, system,
application, and database administrators; computer specialists; security analysts;
security consultants) are responsible for proper implementation of security
requirements in their IT systems. As changes occur in the existing IT system
environment (e.g., expansion in network connectivity, changes to the existing
infrastructure and organizational policies, introduction of new technologies), the IT
security practitioners must support or use the risk management process to identify and
assess new potential risks and implement new security controls as needed to
safeguard their IT systems.

SP 800-30 Page 7

? Security Awareness Trainers (Security/Subject Matter Professionals). The
organization?s personnel are the users of the IT systems. Use of the IT systems and
data according to an organization?s policies, guidelines, and rules of behavior is
critical to mitigating risk and protecting the organization?s IT resources. To minimize
risk to the IT systems, it is essential that system and application users be provided
with security awareness training. Therefore, the IT security trainers or
security/subject matter professionals must understand the risk management process so
that they can develop appropriate training materials and incorporate risk assessment
into training programs to educate the end users.

SP 800-30 Page 8

3. RISK ASSESSMENT

Risk assessment is the first process in the risk management methodology. Organizations use risk
assessment to determine the extent of the potential threat and the risk associated with an IT
system throughout its SDLC. The output of this process h