our next NIST framework is gonna come to us from missed 800 deaths. 30 and where it revision one currently. And this particular NIST documents in this document gives us an approach for conducting risk assessments.
Now, when we talk about risk assessment again, we want to be able to identify risks based on threats and vulnerabilities.
And then we want to get an estimate of the lost potential. And then we want to compare that up against costs of countermeasures and risk mitigation solutions in order to determine which which option is gonna be good for us. Okay,
So when we start with risk assessments, what we're looking to do here, we want to provide support
to our stakeholders. I want to justify risk responses. I want to justify when I come to, ah, the chief financial officer and say, Give me a check. I need $50,000 by this afternoon. Well, I've got to provide the supporting information.
And really part of the purpose of a risk assessment is to provide that information.
Um, And when we talk about risk assessments, so we start off with risk identification by looking at assets, threats, vulnerabilities.
Then, when we do the analysis piece, we're looking at probability and impact.
And then when we're doing the evaluation, peace were looking at costs. And we're looking at efficiency of the risk controls and how we make a good solution on mitigation. Given all of that information in context, right,
So we're doing the same thing. We may use slightly different terms,
but we're starting out by figuring out what is our
Ah ah, what are risks are
what's the potential for loss and then how that fits in the grand scheme of things like countermeasure. So ultimately, what we wanna wind up with is we wanna have a result generally that recommends, or that indicates what the severity and impacts or
with the potential for loss is.
All right. Now, when we talk about risk assessments, we can start all the way at the top, and look, ATT risks affecting the organization as a whole,
right? Or we can look ATT risks from particular business processes, or we can look at risks as they impact individual systems. Right? So first thing, when we talk about risk context or framing the risk, we have to kind of think about which of these areas
is gonna have our focus,
right? I can't look at everything all at once. So if I'm doing an organizational assessment, I'm not gonna look at Jane Smith's computer,
right? I've got a very broad task, and I'm not gonna get that microscope up. But if I am looking specifically for software vulnerabilities, I'm not gonna be analyzing the market for years to come.
So just understanding which risk were focusing on that's gonna make a difference. But knowing that they all information systems risks become business risks and business risks become mission risks.