NIST has updated the Guide for Conducting Risk Assessments (NIST Special Publication 800-30) to a great extent and the draft is publicly available for comments. The focus of this Guidance is on Risk Assessment as the risk management is covered by another guidance from NIST (SP 800-39).
In today.s world of complex and sophisticated threats, risk assessments are an essential tool for organizations to employ as part of a comprehensive risk management program. Risk assessments can help organizations:
- Determine the most appropriate risk responses to on going cyber attacks or threats from manmade or natural disasters;
- Guide investment strategies and decisions for the most effective cyber defences to help protect organizational operations (including missions, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and
- Maintain on going situational awareness with regard to the security state of organizational information systems and the environments in which the systems operate.
though this Guidance is primarily for the federal information systems, it is highly useful for private organizations as well. The draft guidance is available here for download