Risk Assessment as per NIST SP 800-30

Рет қаралды 25,531

Ingram Micro Cyber Security

Күн бұрын

Пікірлер: 17

@pricelesspancake 17 күн бұрын

Thank you for posting this! Great content and it helps supplement the document itself.

@olalkn 3 жыл бұрын

This training is bang on and excellently delivered. I thoroughly enjoyed it and learned a lot. Thank you guys

@ijeomaugwo7067 3 жыл бұрын

This is a fantastic training. I learnt alot , thank you.

@ho96 Жыл бұрын

Thanks for an excellent lectures and so smooth and made me imagine how long it's going to be before i can speak smoothly like you do😀. Great job and thank you!

@elvislam4649 2 жыл бұрын

Explanation is clear and direct, good job.

@estarr28 Жыл бұрын

Great information! Thank you 👍

@merazhussain6022 10 ай бұрын

Brilliant presentation

@jameslee4568 2 жыл бұрын

Very informative, thanks!

@techiegz 4 жыл бұрын

Around the 26th minute mark, where you mention that NIST SP 800-30 does not identify assets prior to conducting a risk assessment. While this is technically true of the SP, I have to point out that assets are identified in NIST SP 800-37 prior to assessing risk; asset identification is covered/handled in Phase 1 of the NIST Risk Management Framework (RMF) prior to assessing risks on the identified assets using the 800-30. If assets aren't first identified, how do we know what threat sources are relevant, if for example the asset is a computer network vs the world's most comfortable bed? In NIST SP 800-37 Revision 2, Task P-10 is Asset Identification while subsequent Task P-14 is Risk Assessment on the earlier identified assets using NIST SP 800-30. And in a prior Task P-3, there's also a risk assessment for the organization itself, which of course is already identified if it's seeking to assess risks on itself. I suggest not to use any NIST SP in isolation because their contents are intertwined so as to avoid misunderstanding them. Better yet, use the 800--37 as a reference point because it ties together relevant NIST SPs as they apply in their respective RMF process.

@felicitasamana586 3 жыл бұрын

I saw your comment before listening. However, asset was mentioned. He said it numerous times..you can listen again.

@ikey1119 3 жыл бұрын

I listened to this entire video while I went for a run and came back to the comments. This comment really tied it all together for me. Coming from an RMF perspective your right, NIST 800-37 ties them all together from a wholistic point of view. Which make this video much more palatable. Thanks

@bggees Жыл бұрын

These Frameworks are not holy grails and are guidance for the most part. For example, some well seasoned Risk professionals would only apply what makes sense to their organization only. Some even prefer FAIR framework/approach, which NIST has also been recommending.

@techiegz Жыл бұрын

@@bggees You mean the Frameworks can be "tailored" to your org's needs? Yes, but that's a different argument. If it provides guidance to identify assets prior to assessments and you tailor out that step, it's on you. And tailoring out critical steps is where org's get into trouble that result in flaws and gaps in their security program/processes. Bottom line is that you have to identify the asset(s) in scope before you do whatever you need to do.

@bggees Жыл бұрын

@@techiegz I agree with you 💯. Assets identification must come first, before any other steps such as, threat community, threat types, effects, etc.