SP 800-30 Page iv
TABLE OF CONTENTS
1. INTRODUCTION..............................................................................................................................................1
1.1 AUTHORITY.................................................................................................................................................1
1.2 PURPOSE......................................................................................................................................................1
1.3 OBJECTIVE ..................................................................................................................................................2
1.4 TARGET AUDIENCE .....................................................................................................................................2
1.5 RELATED REFERENCES................................................................................................................................3
1.6 GUIDE STRUCTURE......................................................................................................................................3
2. RISK MANAGEMENT OVERVIEW .............................................................................................................4
2.1 IMPORTANCE OF RISK MANAGEMENT .........................................................................................................4
2.2 INTEGRATION OF RISK MANAGEMENT INTO SDLC.....................................................................................4
2.3 KEY ROLES .................................................................................................................................................6
3. RISK ASSESSMENT ........................................................................................................................................8
3.1 STEP 1: SYSTEM CHARACTERIZATION......................................................................................................10
3.1.1 System-Related Information................................................................................................................10
3.1.2 Information-Gathering Techniques .....................................................................................................11
3.2 STEP 2: THREAT IDENTIFICATION.............................................................................................................12
3.2.1 Threat-Source Identification................................................................................................................12
3.2.2 Motivation and Threat Actions ............................................................................................................13
3.3 STEP 3: VULNERABILITY IDENTIFICATION................................................................................................15
3.3.1 Vulnerability Sources...........................................................................................................................16
3.3.2 System Security Testing .......................................................................................................................17
3.3.3 Development of Security Requirements Checklist................................................................................18
3.4 STEP 4: CONTROL ANALYSIS....................................................................................................................19
3.4.1 Control Methods ..................................................................................................................................20
3.4.2 Control Categories ..............................................................................................................................20
3.4.3 Control Analysis Technique.................................................................................................................20
3.5 STEP 5: LIKELIHOOD DETERMINATION.....................................................................................................21
3.6 STEP 6: IMPACT ANALYSIS .......................................................................................................................21
3.7 STEP 7: RISK DETERMINATION.................................................................................................................24
3.7.1 Risk-Level Matrix.................................................................................................................................24
3.7.2 Description of Risk Level.....................................................................................................................25
3.8 STEP 8: CONTROL RECOMMENDATIONS ...................................................................................................26
3.9 STEP 9: RESULTS DOCUMENTATION.........................................................................................................26
4. RISK MITIGATION .......................................................................................................................................27
4.1 RISK MITIGATION OPTIONS .......................................................................................................................27
4.2 RISK MITIGATION STRATEGY....................................................................................................................28
4.3 APPROACH FOR CONTROL IMPLEMENTATION............................................................................................29
4.4 CONTROL CATEGORIES .............................................................................................................................32
4.4.1 Technical Security Controls.................................................................................................................32
4.4.2 Management Security Controls............................................................................................................35
4.4.3 Operational Security Controls.............................................................................................................36
4.5 COST-BENEFIT ANALYSIS .........................................................................................................................37
4.6 RESIDUAL RISK .........................................................................................................................................39
5. EVALUATION AND ASSESSMENT............................................................................................................41
5.1 GOOD SECURITY PRACTICE .......................................................................................................................41
5.2 KEYS FOR SUCCESS ...................................................................................................................................41
Appendix A—Sample Interview Questions ............................................................................................................. A-1
Appendix B—Sample Risk Assessment Report Outline ...........................................................................................B-1