SP 800-30, NIST SPECIAL PUBLICATION RISK MANAGEMENT GUIDE FOR INFORMATION TECHNOLOGY SYSTEMS (JULY 2002)

SP 800-30, NIST SPECIAL PUBLICATION RISK MANAGEMENT GUIDE FOR INFORMATION TECHNOLOGY SYSTEMS (JULY 2002). Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. This guide provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations to better manage IT-related mission risks. In addition, this guide provides information on the selection of cost-effective security controls. These controls can be used to mitigate risk for the better protection of mission-critical information and the IT systems that process, store, and carry this information.