NIST SP 800-37, REVISION 2 RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
________________________________________________________________________________________________
CHAPTER THREE PAGE 41
This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-37r2
RISK ASSESSMENT—SYSTEM
TASK P-14 Conduct a system-level risk assessment and update the risk assessment results on an ongoing
basis.
Potential Inputs: Assets to be protected; missions, business functions, and mission/business processes
the system will support; business impact analyses or criticality analyses; system stakeholder information;
information about other systems that interact with the system; provider information; threat information;
data map; system design documentation; Cybersecurity Framework Profiles; risk management strategy;
organization-level risk assessment results.
Expected Outputs: Security and privacy risk assessment reports.
Primary Responsibility: System Owner; System Security Officer;
System Privacy Officer.
Supporting Roles: Senior Accountable Official for Risk Management or Risk Executive (Function);
Authorizing Official or Authorizing Official Designated Representative; Mission or Business Owner;
Information Owner or Steward; Control Assessor.
System Development Life Cycle Phase: New – Initiation (concept/requirements definition).
Existing – Operations/Maintenance.
Discussion: This task may require that organizations conduct security and privacy risk assessments to
ensure that each type of risk is fully assessed. Assessment of security risk includes identification of threat
sources
67
and threat events affecting assets, whether and how the assets are vulnerable to the threats,
the likelihood that an asset vulnerability will be exploited by a threat, and the impact (or consequence) of
loss of the assets. As a key part of the risk assessment, assets are prioritized based on the adverse impact
or consequence of asset loss. The meaning of loss is defined for each asset type to enable a determination
of the loss consequence (i.e., the adverse impact of the loss). Loss consequences may be tangible (e.g.,
monetary, industrial casualties) or intangible (e.g., reputation) and constitute a continuum that spans
from partial loss to total loss relative to the asset. Interpretations of information loss may include, for
example, loss of possession, destruction, or loss of precision or accuracy. The loss of a function or service
may be interpreted as a loss of control, loss of accessibility, loss of the ability to deliver normal function,
performance, or behavior, or a limited loss of capability resulting in a level of degradation of function,
performance, or behavior. Physical consequences of compromise can include unscheduled production
downtime, industrial equipment damage, casualties at the site, environmental disasters and public safety
threats. Prioritization of assets is based on asset value, physical consequences, cost of replacement,
criticality, impact on image or reputation, or trust by users, by collaborating organizations, or by mission
or business partners. The asset priority translates to precedence in allocating resources, determining
strength of mechanisms, and defining levels of assurance.
Privacy risk assessments are conducted to determine the likelihood that a given operation the system is
taking when processing PII could create an adverse effect on individuals—and the potential impact on
individuals.
68
These adverse effects can arise from unauthorized activities that lead to the loss of
confidentiality, integrity, or availability in information systems processing PII, or may arise as a byproduct
of authorized activities.
Privacy risk assessments are influenced by contextual factors. Contextual factors
can include, but are not limited to, the sensitivity level of the PII, including specific elements or in
aggregate; the types of organizations using or interacting with the system and individuals’ perceptions
about the organizations with respect to privacy; individuals’ understanding about the nature and purpose
of the processing; and the privacy interests of individuals, technological expertise or demographic
characteristics that influence their understanding or behavior. The privacy risks to individuals may affect
67
In addition, the use of threat intelligence, threat analysis, and threat modelling can help organizations develop the
security capabilities necessary to reduce organizational susceptibility to a variety of threats including hostile cyber-
attacks, equipment failures, natural disasters, and errors of omission and commission.
68
[IR 8062] introduces privacy risk management and a privacy risk model for conducting privacy risk assessments.