NIST – Risk Management for Info Tech Systems

Risk Management for Info Tech Systems

Risk Management for Info Tech Systems – View PDF


NIST – Risk Management for Info Tech Systems

Image courtesy of [pixtawan] / FreeDigitalPhotos.net

Every organization has a mission. In this digital era, as organizations use automated information

technology (IT) systems1 to process their information for better support of their missions, risk
management plays a critical role in protecting an organization’s information assets, and therefore
its mission, from IT-related risk.

An effective risk management process is an important component of a successful IT security
program. The principal goal of an organization’s risk management process should be to protect
the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk
management process should not be treated primarily as a technical function carried out by the IT
experts who operate and manage the IT system, but as an essential management function of the


This document has been developed by NIST in furtherance of its statutory responsibilities under
the Computer Security Act of 1987 and the Information Technology Management Reform Act of
1996 (specifically 15 United States Code (U.S.C.) 278 g-3 (a)(5)). This is not a guideline within
the meaning of 15 U.S.C 278 g-3 (a)(3).

These guidelines are for use by Federal organizations which process sensitive information.
They are consistent with the requirements of OMB Circular A-130, Appendix III.
The guidelines herein are not mandatory and binding standards. This document may be used by
non-governmental organizations on a voluntary basis. It is not subject to copyright.

Nothing in this document should be taken to contradict standards and guidelines made
mandatory and binding upon Federal agencies by the Secretary of Commerce under his statutory
authority. Nor should these guidelines be interpreted as altering or superseding the existing
authorities of the Secretary of Commerce, the Director of the Office of Management and Budget,
or any other Federal official.


Risk is the net negative impact of the exercise of a vulnerability, considering both the probability
and the impact of occurrence. Risk management is the process of identifying risk, assessing risk,
and taking steps to reduce risk to an acceptable level. This guide provides a foundation for the
development of an effective risk management program, containing both the definitions and the
practical guidance necessary for assessing and mitigating risks identified within IT systems. The
ultimate goal is to help organizations to better manage IT-related mission risks.

1 The term “IT system” refers to a general support system (e.g., mainframe computer, mid-range computer, local
area network, agencywide backbone) or a major application that can run on a general support system and whose
use of information resources satisfies a specific set of user requirements.

In addition, this guide provides information on the selection of cost-effective security controls.2
These controls can be used to mitigate risk for the better protection of mission-critical
information and the IT systems that process, store, and carry this information.

Organizations may choose to expand or abbreviate the comprehensive processes and steps
suggested in this guide and tailor them to their environment in managing IT-related mission


The objective of performing risk management is to enable the organization to accomplish its
mission(s) (1) by better securing the IT systems that store, process, or transmit organizational
information; (2) by enabling management to make well-informed risk management decisions to
justify the expenditures that are part of an IT budget; and (3) by assisting management in
authorizing (or accrediting) the IT systems3 on the basis of the supporting documentation
resulting from the performance of risk management.


This guide provides a common foundation for experienced and inexperienced, technical, and
non-technical personnel who support or use the risk management process for their IT systems.
These personnel include?

  • Senior management, the mission owners, who make decisions about the IT security budget.
  • Federal Chief Information Officers, who ensure the implementation of risk management for agency IT systems and the security provided for these IT systems
  • The Designated Approving Authority (DAA), who is responsible for the final decision on whether to allow operation of an IT system
  • The IT security program manager, who implements the security program
  • Information system security officers (ISSO), who are responsible for IT security
  • IT system owners of system software and/or hardware used to support IT functions.
  • Information owners of data stored, processed, and transmitted by the IT systems
  • Business or functional managers, who are responsible for the IT procurement process
  • Technical support personnel (e.g., network, system, application, and database administrators; computer specialists; data security analysts), who manage and administer security for the IT systems
  • IT system and application programmers, who develop and maintain code that could affect system and data integrity

2 The terms “safeguards” and “controls” refer to risk-reducing measures; these terms are used interchangeably in
this guidance document.
3 Office of Management and Budget’s November 2000 Circular A-130, the Computer Security Act of 1987, and the
Government Information Security Reform Act of October 2000 require