"A lot of folks think that the guidance we put out is very dogmatic; you have to follow it step by step," Ross, a fellow and senior computer scientist at the National Institute of Standards and Technology, says in an interview with Information Security Media Group. "But this publication in particular helps organizations design a risk assessment process that works for their particular organization."
"The key is to make it work so that you can get the best information, so you understand what kind of security controls do I really need to protect my critical systems and those critical missions those systems might be supporting," he says.
The guide allows the use of "a quantitative approach or qualitative approach or something in between to come up with the best information you can with regards to the risks your organization is going to face," Ross says.
In the interview, Ross explains:
- How the revised guide differs from early versions of risk assessment guidance.
- The benefits and limits of risk assessments. "You can't protect everything," he says.
- Why a unified information security framework, which the revised guidance is a component, is not only important to the U.S. federal government but other types of organizations, too, in mitigating risk.
Ross - lead author of NIST Special Publications 800-30 and 800-37, the authoritative guidance on risk assessment and risk management - specializes in security requirements definition, security testing and evaluation and information assurance. He leads NIST's Federal Information Security Management Act Implementation Project, which includes the development of key security standards and guidelines for the federal government and critical information infrastructure.
He also heads the Joint Task Force Transformation Initiative Working Group, a joint partnership with NIST, Defense Department, intelligence community and Committee on National Security Systems, to develop a unified information security framework for the federal government.
Ross serves as the architect of the risk-management framework that integrates the suite of NIST security standards and guidelines into a comprehensive enterprise security program.