Placed within the Identify function of the NIST Cybersecurity Framework is a category called Risk Assessment. According to NIST, the goal of a risk assessment is for an organization to understand “the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.” As set out by NIST, conducting a risk assessment typically includes the following six steps:
In the security industry, we refer to these steps as being proactive (as opposed to being reactive, a euphemism for incident response). Best practices for conducting a risk assessment include, first and foremost, adequate preparation. But what does that require? In the world of risk assessments, preparation means setting out the ground rules, to include having a clear understanding of the assessment’s purpose and scope, assumptions and constraints, information sources, and whether a particular risk model or analytic approach is being used.