NIST SP 800-39 Appendix E

From FISMApedia
Jump to: navigation, search

APPENDIX E

RISK MANAGEMENT PROCESS TASKS

SUMMARY OF TASKS FOR STEPS IN THE RISK MANAGEMENT PROCESS


TASK TASK DESCRIPTION

Step 1: Risk Framing

TASK 1-1
RISK ASSUMPTIONS
Identify assumptions that affect how risk is assessed, responded to, and monitored within the organization.
TASK 1-2
RISK CONSTRAINTS
Identify constraints on the conduct of risk assessment, risk response, and risk monitoring activities within the organization.
TASK 1-3
RISK TOLERANCE
Identify the level of risk tolerance for the organization.
TASK 1-4
PRIORITIES AND TRADE-OFFS
Identify priorities and trade-offs considered by the organization in managing risk.

Step 2: Risk Assessment

TASK 2-1
THREAT AND VULNERABILITY IDENTIFICATION
Identify threats to and vulnerabilities in organizational information systems and the environments in which the systems operate.
TASK 2-2
RISK DETERMINATION
Determine the risk to organizational operations and assets, individuals, other organizations, and the Nation if identified threats exploit identified vulnerabilities.

Step 3: Risk Response

TASK 3-1
RISK RESPONSE IDENTIFICATION
Identify alternative courses of action to respond to risk determined during the risk assessment.
TASK 3-2
EVALUATION OF ALTERNATIVES
Evaluate alternative courses of action for responding to risk.
TASK 3-3
RISK RESPONSE DECISION
Decide on the appropriate course of action for responding to risk.
TASK 3-4
RISK RESPONSE IMPLEMENTATION
Implement the course of action selected to respond to risk.

Step 4: Risk Monitoring

TASK 4-1
RISK MONITORING STRATEGY
Develop a risk monitoring strategy for the organization that includes the purpose, type, and frequency of monitoring activities.
TASK 4-2
RISK MONITORING
Monitor organizational information systems and environments of operation on an ongoing basis to verify compliance, determine effectiveness of risk response measures, and identify changes.


Sources