I've been a fan of NIST ever since talking shop with some of their authors back in '03. They were technically sound, process oriented, and genuinely cared about their work. Maybe it's the old product manager in me but I appreciate their functional approach, meaning they focus on what to do vs. a prescriptive how to do it. NIST provides examples and suggestions but leaves the dirty work up to you. If you have anything to do with prioritizing IT risk and spend, I highly recommend NIST's recent update for risk assessments, SP 800-30 rev1.
The original 800-30 "Risk Management Guide for Information Technology Systems" debuted in '02. Rev 1 is titled "Guide for Conducting Risk Assessments." I think the more focused title represents the evolution nicely. Rev 1 does a much better job explaining what to do with a nice bonus of why. While Rev 1 still challenges you to construct your own process, it does a much better job suggesting how.
There are many highlights and I could write all day. Here's a few keys as you read the guide:
Hierarchy: solid description of the differences between strategic and tactical assessments e.g. organization level, mission/business process level, and information system level.
Improved pro/cons of risk prioritization approaches: while the examples lean heavily on qualitative assessments, the process holds true to support any model that resonates best with your organization.
Nice focus on adversarial threats: covering intent, capability, and targeting.
Communication: dear to my heart, a bit more meat on communication. We all know that puppies die when well organized evidence is lost in poor communication.
Now of course I have a vested interest in this guide. As a builder of risk and spend prioritization tools, I read the guide with a bit of nervous energy. Does NIST disagree with our approach? Will they add something we missed, etc.? Turns out I'm more fired up than ever about Risk Communicator. The advancements in Rev 1 map nicely into Risk Communicator. We also focus on areas where NIST doesn't go into great detail e.g. steps to prioritize spending. I do think Rev 1 does a better job walking readers through the assessment workflow than we do. I'm not sure if we need a companion guide, videos, or better on-line help - probably all three! I do know that Risk Communicator is a heck of a lot better than our old competitor - the spreadsheet. If you're inclined to instantiate SP 800-30 rev 1 in a spreadsheet or application, please drop us a line. At a minimum we can share tips and point out pitfalls with alligators.
There's a lot of content worthy of commentary in Rev 1 but I suggest reading the guide instead of about it. After you take it all in, test drive Risk Communicator and tell us what you think! There are many areas where we can improve and for that I extend a big Thank You to NIST.