 NIST (National Institute of Standards and Technology)

 Most commonly cited risk management sources.

 Special Publication 800-39.
 Security Risk: Organization, Mission, and Information System View.
 NIST process:

 Framing risk: What is the organization’s risk tolerance, and how does it make decisions about risk?
 Assessing risk: What are the values for the risk equation and results.
 Responding to risk: what alternatives will be chosen to address risk?
 Monitoring risk: How will respond to any impacts of risk mitigation activities?
 ISO and IG Toolkit
• Started 1947.
• it has published 19,500 standards for business and technology industries.
• ISO 27000 & 27001: Information Security Management Risk Management Systems (ISMS).
• Secondary ISO 27005: Risk Assessment.
• Applicable to any sized organization or mission.
• Identifying opportunities and threats.
• ISO 27000 family addresses about risk:
 Avoid: Do not do the action causing the risk.
 Accept: The probable cost of the occurrence is less than the value of the objective.
 Retain: Provided informed consent and potential loss are minimal, you can budget for risk.
 Remove: Remove the vulnerability or source of risk.
 Change: Change the likelihood of occurrence.
 Share: Share the cost through insurance, contracting, or other third party agreement.

The Information Governance Toolkit

• IG Toolkit from the Department of Health (DH).
• This tool allows organizations to perform self-assessments of their compliance.
• The goal of the toolkit is properly maintain the confidentiality and security of personal information.

• Use: control variance, partial compliance, and remediation activities can be documented, tracked, and communicated.