View source for Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Appendix 1.16 Risk assessment

===Appendix 1.14  Risk assessment===
====RA-1 Risk assessment policy and procedures====
This control recommends the organization develop, document, disseminate, review, and update risk assessment policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of risk asssessment action but also to address how those policies and procedures will be implemented, reviewed, and updated. 

'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], pages 68–69
* [https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final NIST Special Publication 800-30, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publication 800-100], pages 84–95
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_management LIMSpec 7.1, 7.2]

====RA-2 Security categorization====
This control recommends the organization categorize the information system and its data based on security. More specifically, NIST notes the security categorization should be based upon "the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability." Additionally, the organization should document the results and supporting rationale of the security categorization and ensure the results are reviewed and approved by the authorizing individuals or roles in the organization.

'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final NIST Special Publication 800-30, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-39/final NIST Special Publication 800-39]
* [https://csrc.nist.gov/publications/detail/sp/800-60/vol-1-rev-1/final NIST Special Publications 800-60, Vol. 1, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-60/vol-2-rev-1/final NIST Special Publications 800-60, Vol. 2, Rev. 1]
* No LIMSpec comp (organizational policy rather than system specification)

====RA-3 Risk assessment====
This control recommends the organization conduct risk assessments of the information system and the data that is processed, stored, and transmitted within it. The assessment should address the likelihood and potential outcomes of unauthorized "access, use, disclosure, disruption, modification, or destruction" of the system and its data. The results of this assessment should be documented as part of a security plan, risk assessment report, or some other type of organizational document and disseminated to the appropriate individuals. The document should be reviewed at a defined frequency updated when significant changes to the system or cybersecurity threats occur.

'''Additional resources''':
* [https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final NIST Special Publication 800-30, Rev. 1]
* [https://csrc.nist.gov/publications/detail/sp/800-39/final NIST Special Publication 800-39]
* No LIMSpec comp (organizational policy rather than system specification)

====RA-5 Vulnerability scanning====
This control recommends the organization conduct vulnerability scanning of its system. "Vulnerability scanning includes, for example: (i) scanning for patch levels; (ii) scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and (iii) scanning for improperly configured or incorrectly operating information flow control mechanisms." These scans should occur at a defined frequency, randomly as part of organizational processes, or when new vulnerabilities have been identified. The tools employed should be standardized to detect software flaws and improper configurations using formatting checklists test procedures, while also measuring vulnerability impact. The organizations should analyze the results of these scans, remediated legitimate vulnerabilities, and share details with appropriate personnel or roles, particularly when vulnerabilities may affect other portions of the system.

'''Additional resources''':
* [https://nvd.nist.gov/ NIST National Vulnerability Database]
* [https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final NIST Special Publication 800-40, Rev. 3]
* [https://csrc.nist.gov/publications/detail/sp/800-70/rev-4/final NIST Special Publication 800-70, Rev. 4]
* [https://csrc.nist.gov/publications/detail/sp/800-115/final NIST Special Publication 800-115]
* No LIMSpec comp (organizational policy rather than system specification)