NIST SP 800-39FPD Appendix E
APPENDIX E
RISK MANAGEMENT PROCESS TASKS
SUMMARY OF TASKS FOR STEPS IN THE RISK MANAGEMENT PROCESS
| TASK | TASK DESCRIPTION |
Step 1: Risk Framing | |
| TASK 1-1 RISK ASSUMPTIONS |
Identify assumptions about threats, vulnerabilities, consequences/impact, and likelihood of occurrence that affect how risk is assessed, responded to, and monitored within the organization. |
| TASK 1-2 RISK CONSTRAINTS |
Identify constraints on the conduct of risk assessment, risk response, and risk monitoring activities within the organization. |
| TASK 1-3 RISK TOLERANCE |
Identify the level of risk tolerance for the organization. |
| TASK 1-4 PRIORITIES AND TRADE-OFFS |
Identify priorities and trade-offs considered by the organization in managing risk. |
Step 2: Risk Assessment | |
| TASK 2-1 THREAT AND VULNERABILITY IDENTIFICATION |
Identify threats to and vulnerabilities in organizational information systems and the environments in which the systems operate. |
| TASK 2-2 RISK DETERMINATION |
Determine the risk to organizational operations and assets, individuals, other organizations, and the Nation if identified threats exploit identified vulnerabilities. |
Step 3: Risk Response | |
| TASK 3-1 RISK RESPONSE IDENTIFICATION |
Identify alternative courses of action to respond to risk determined during the risk assessment. |
| TASK 3-2 EVALUATION OF ALTERNATIVES |
Evaluate alternative courses of action for responding to risk. |
| TASK 3-3 RISK RESPONSE DECISION |
Decide on the appropriate course of action for responding to risk. |
| TASK 3-4 RISK RESPONSE IMPLEMENTATION |
Implement the course of action selected to respond to risk. |
Step 4: Risk Monitoring | |
| TASK 4-1 RISK MONITORING STRATEGY |
Develop a risk monitoring strategy for the organization that includes the purpose, type, and frequency of monitoring activities. |
| TASK 4-2 RISK MONITORING |
Monitor organizational information systems and environments of operation on an ongoing basis to verify compliance, determine effectiveness of risk response measures, and identify changes. |
