The state of the art of risk assessment and management for information systems

Abstract

Risk assessment and management for information system are very important for assuring the system security. It requires not only careful but also systematic analysis of threat and vulnerability information. Depending on the analysis result, we could determine the extent to which events could adversely impact the organization and the likelihood that such events will occur. Under FISMA(Federal Information Security Management Act) of 2002, the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) develops a series of publications to protect the information system. In this paper, we give the outline of the state of the art of the risk assessment and management in the ITL at NIST. Some fundamental concepts and model are introduced to interpret the process of risk assessment. Besides, the relationship among the security related publications corresponding with the risk management is analyzed and concluded.