Companies are dependent upon information technology and associated systems. While the increasing number of information technology products used in various companies and industries can be beneficial, in some instances they may also introduce serious threats that can adversely affect a company’s systems by exploiting both known and unknown vulnerabilities. The exploitation of vulnerabilities in company systems can compromise the confidentiality, integrity, or availability of the information being processed, stored, or transmitted by those systems. Performing a risk assessment is one of four components of risk management. Risk assessments identify and prioritize risks to company operations, assets, employees, and other organizations that may result from the operation of a system. Risk assessments inform company decision makers and support risk responses by identifying: relevant threats to organizations or threats directed through organizations against other organizations, vulnerabilities both internal and external to organizations, impact (i.e., harm) to the company that may occur given the potential for threats exploiting vulnerabilities, and the likelihood that harm will occur. Examples of risk assessment requirements include: security categorization, risk assessment, vulnerability scanning, and technical surveillance countermeasures survey. Companies should periodically assess the risk to operations (e.g., mission, functions, image, reputation), assets, and employees, which may result from the operation of company systems and the associated processing, storage, or transmission of company information.
Related Articles
Security Assessment: SP 800-171 Security Family 3.12
A security requirement assessment is the testing and/or evaluation of the management, operational, and technical security requirements on a system to determine the extent to which the requirements are implemented correctly, operating as intended, and ...
Configuration Management: SP 800-171 Security Family 3.4
Configuration management is a collection of activities focused on establishing and maintaining the integrity of information technology products and systems through the control of processes for initializing, changing, and monitoring the configurations ...
Personnel Security: SP 800-171 Security Family 3.9
Users play a vital role in protecting a system as many important issues in information security involve users, designers, implementers, and managers. How these individuals interact with the system and the level of access they need to do their jobs ...
Systems and Communications Protection: SP 800-171 Security Family 3.13
System and communications protection requirements provide an array of safeguards for the system. Some of the requirements in this family address the confidentiality information at rest and in transit. The protection of confidentiality can be provided ...
CMMC RM.4.148 - Manage Supply Chain Risk
Requirement text: RM.4.148: Develop and update as required, a plan for managing supply chain risks associated with the IT supply chain. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171B The growing dependence on products, systems, and services from ...