NIST 800 – 30 Risk Assessment

NIST 800 – 30 Risk Assessment

Decomposing The Application – process of manual inspection to understand how the application works it’s assets, functionality and connectivity
Defining and classifying – Tanglible/Intangible and give them ratings or rankings
Explore potential vulnerabilities – Technical, operational, management
Explore potential threats – Using threat scenarios and attack trees
Mitigating Strategies – threats that are realistic
Threat Model – Collection of Lists and Diagrams of threat scale

RISK DRIVEN

Should not allow for the data to be altered or destroyed and application should not be compromised.
Negative requirements are driven by risk analysis and threat modeling
Authentication Controls – Common security requirements threats and countermeasures
Encrypt data in storage and transmit to mitigate risk of information disclosure and authentication protocol attacks
Encrypt passwords using non-reversible encryption such as using a digest (HASH) and or seed to prevent dictionary attacks
Lock-out accounts after reaching a threshold enforce password complexity
Display generic error messages upon validation
Mutually authenticate client and server to prevent non-repudiation (man in the middle)

RISK MEASUREMENTS AND REPORTING
Operational risk without thinking technology risk
Technology Risk Manager
Not only answerable for traditional responsibilities of IT and data protection but also:
Business process discussions related to access controls
Segregation of duties, approval of hierarchies, notifications
Tech risk is often separate departments