没有合适的资源?快使用搜索试试~ 我知道了~
首页NIST SP800-30信息安全文档
NIST SP800-30信息安全文档
4星 · 超过85%的资源 需积分: 9 56 下载量 190 浏览量
更新于2023-03-16
评论
收藏 1.86MB PDF 举报
NIST SP800-30-Rev1 for risk assessment
资源详情
资源评论
资源推荐
NIST Special Publication 800-30
Revision 1
Guide for Conducting
Risk Assessments
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
I N F O R M A T I O N S E C U R I T Y
INITIAL PUBLIC DRAFT
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930
September 2011
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary for Standards and Technology
and Director
________________________________________________________________________________________________
Special Publication 800-30 Guide for Conducting Risk Assessments
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) promotes the U.S. economy and public welfare by providing technical
leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test
methods, reference data, proof of concept implementations, and technical analyses to advance the
development and productive use of information technology. ITL’s responsibilities include the
development of management, administrative, technical, and physical standards and guidelines for
the cost-effective security and privacy of other than national security-related information in
federal information systems. The Special Publication 800-series reports on ITL’s research,
guidelines, and outreach efforts in information system security, and its collaborative activities
with industry, government, and academic organizations.
PAGE ii
________________________________________________________________________________________________
Special Publication 800-30 Guide for Conducting Risk Assessments
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is
responsible for developing information security standards and guidelines, including minimum
requirements for federal information systems, but such standards and guidelines shall not apply to
national security systems without the express approval of appropriate federal officials exercising
policy authority over such systems. This guideline is consistent with the requirements of the
Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency
Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections.
Supplemental information is provided in Circular A-130, Appendix III, Security of Federal
Automated Information Resources.
Nothing in this publication should be taken to contradict the standards and guidelines made
mandatory and binding on federal agencies by the Secretary of Commerce under statutory
authority. Nor should these guidelines be interpreted as altering or superseding the existing
authorities of the Secretary of Commerce, Director of the OMB, or any other federal official.
This publication may be used by nongovernmental organizations on a voluntary basis and is not
subject to copyright in the United States. Attribution would, however, be appreciated by NIST.
NIST Special Publication 800-30, 85 pages
(September 2011)
CODEN: NSPUE2
Certain commercial entities, equipment, or materials may be identified in this document in order to
describe an experimental procedure or concept adequately. Such identification is not intended to imply
recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or
equipment are necessarily the best available for the purpose.
There may be references in this publication to other publications currently under development by NIST
in accordance with its assigned statutory responsibilities. The information in this publication, including
concepts and methodologies, may be used by federal agencies even before the completion of such
companion publications. Thus, until each publication is completed, current requirements, guidelines,
and procedures, where they exist, remain operative. For planning and transition purposes, federal
agencies may wish to closely follow the development of these new publications by NIST.
Organizations are encouraged to review all draft publications during public comment periods and
provide feedback to NIST. All NIST publications, other than the ones noted above, are available at
http://csrc.nist.gov/publications.
Public comment period: September 19 through November 4, 2011
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930
Electronic mail: sec-cert@nist.gov
PAGE iii
________________________________________________________________________________________________
Special Publication 800-30 Guide for Conducting Risk Assessments
Compliance with NIST Standards and Guidelines
In accordance with the provisions of FISMA,
1
the Secretary of Commerce shall, on the basis of
standards and guidelines developed by NIST, prescribe standards and guidelines pertaining to
federal information systems. The Secretary shall make standards compulsory and binding to the
extent determined necessary by the Secretary to improve the efficiency of operation or security of
federal information systems. Standards prescribed shall include information security standards
that provide minimum information security requirements and are otherwise necessary to improve
the security of federal information and information systems.
• Federal Information Processing Standards (FIPS) are approved by the Secretary of
Commerce and issued by NIST in accordance with FISMA. FIPS are compulsory and
binding for federal agencies.
2
FISMA requires that federal agencies comply with these
standards, and therefore, agencies may not waive their use.
• Special Publications (SPs) are developed and issued by NIST as recommendations and
guidance documents. For other than national security programs and systems, federal
agencies must follow those NIST Special Publications mandated in a Federal Information
Processing Standard. FIPS 200 mandates the use of Special Publication 800-53, as
amended. In addition, OMB policies (including OMB Reporting Instructions for FISMA
and Agency Privacy Management) state that for other than national security programs
and systems, federal agencies must follow certain specific NIST Special Publications.
3
• Other security-related publications, including interagency reports (NISTIRs) and ITL
Bulletins, provide technical and other information about NIST's activities. These
publications are mandatory only when specified by OMB.
• Compliance schedules for NIST security standards and guidelines are established by
OMB in policies, directives, or memoranda (e.g., annual FISMA Reporting Guidance).
4
1
The E-Government Act (P.L. 107-347) recognizes the importance of information security to the economic and
national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information
Security Management Act (FISMA), emphasizes the need for organizations to develop, document, and implement an
organization-wide program to provide security for the information systems that support its operations and assets.
2
The term agency is used in this publication in lieu of the more general term organization only in those circumstances
where its usage is directly related to other source documents such as federal legislation or policy.
3
While federal agencies are required to follow certain specific NIST Special Publications in accordance with OMB
policy, there is flexibility in how agencies apply the guidance. Federal agencies apply the security concepts and
principles articulated in the NIST Special Publications in accordance with and in the context of the agency’s missions,
business functions, and environment of operation. Consequently, the application of NIST guidance by federal agencies
can result in different security solutions that are equally acceptable, compliant with the guidance, and meet the OMB
definition of adequate security for federal information systems. Given the high priority of information sharing and
transparency within the federal government, agencies also consider reciprocity in developing their information security
solutions. When assessing federal agency compliance with NIST Special Publications, Inspectors General, evaluators,
auditors, and assessors consider the intent of the security concepts and principles articulated within the specific
guidance document and how the agency applied the guidance in the context of its mission/business responsibilities,
operational environment, and unique organizational conditions.
4
Unless otherwise stated, all references to NIST publications in this document (i.e., Federal Information Processing
Standards and Special Publications) are to the most recent version of the publication.
PAGE iv
________________________________________________________________________________________________
Special Publication 800-30 Guide for Conducting Risk Assessments
Acknowledgements
This publication was developed by the Joint Task Force Transformation Initiative Interagency
Working Group with representatives from the Civil, Defense, and Intelligence Communities in an
ongoing effort to produce a unified information security framework for the federal government.
The National Institute of Standards and Technology wishes to acknowledge and thank the senior
leaders from the Departments of Commerce and Defense, the Office of the Director of National
Intelligence, the Committee on National Security Systems, and the members of the interagency
technical working group whose dedicated efforts contributed significantly to the publication. The
senior leaders, interagency working group members, and their organizational affiliations include:
U.S. Department of Defense Office of the Director of National Intelligence
Teresa M. Takai Adolpho Tarasiuk Jr.
Intelligence Community Chief Information
Officer
Charlene P. Leubecker
Deputy Intelligence Community Chief
Information Officer
Mark J. Morrison
Assurance
Roger Caslow
Senior Policy Advisor Director, Intelligence Community Information
Assistant Secretary of Defense for Networks and Assistant Director of National Intelligence and
Information Integration/DoD Chief Information
Officer (Acting)
Gus Guissanie
Deputy Assistant Secretary of Defense (Acting)
Dominic Cussatt
Barbara Fleming
Chief, Risk Management and Information
Security Programs Division
Senior Policy Advisor
National Institute of Standards and Technology Committee on National Security Systems
Cita M. Furlani Teresa M. Takai
Director, Information Technology Laboratory Acting Chair, CNSS
William C. Barker Eustace D. King
Cyber Security Advisor, Information Technology Laboratory CNSS Subcommittee Co-Chair
Donna Dodson Kevin Deeley
Chief, Computer Security Division CNSS Subcommittee Co-Chair
Ron Ross Lance Dubsky
FISMA Implementation Project Leader CNSS Subcommittee Co-Chair
Joint Task Force Transformation Initiative Interagency Working Group
Ron Ross Gary Stoneburner Jennifer Fabius Kelley Dempsey
NIST, JTF Leader Johns Hopkins APL The MITRE Corporation NIST
Deborah Bodeau David R. Comings Peter Gouldmann Arnold Johnson
The MITRE Corporation Tenacity Solutions, Inc. Department of State NIST
Peter Williams Karen Quigg Christina Sames Christian Enloe
Booz Allen Hamilton The MITRE Corporation TASC NIST
In addition to the above acknowledgments, a special note of thanks goes to Peggy Himes and
Elizabeth Lennon of NIST for their superb technical editing and administrative support. The
authors also gratefully acknowledge and appreciate the significant contributions from individuals
and organizations in the public and private sectors, both nationally and internationally, whose
thoughtful and constructive comments improved the overall quality, thoroughness, and usefulness
of this publication.
PAGE v
剩余84页未读,继续阅读
chlen_2k
- 粉丝: 1
- 资源: 3
上传资源 快速赚钱
- 我的内容管理 收起
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
会员权益专享
最新资源
- c++校园超市商品信息管理系统课程设计说明书(含源代码) (2).pdf
- 建筑供配电系统相关课件.pptx
- 企业管理规章制度及管理模式.doc
- vb打开摄像头.doc
- 云计算-可信计算中认证协议改进方案.pdf
- [详细完整版]单片机编程4.ppt
- c语言常用算法.pdf
- c++经典程序代码大全.pdf
- 单片机数字时钟资料.doc
- 11项目管理前沿1.0.pptx
- 基于ssm的“魅力”繁峙宣传网站的设计与实现论文.doc
- 智慧交通综合解决方案.pptx
- 建筑防潮设计-PowerPointPresentati.pptx
- SPC统计过程控制程序.pptx
- SPC统计方法基础知识.pptx
- MW全能培训汽轮机调节保安系统PPT教学课件.pptx
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论3