Thanks for an excellent lectures and so smooth and made me imagine how long it's going to be before i can speak smoothly like you do😀. Great job and thank you!
Around the 26th minute mark, where you mention that NIST SP 800-30 does not identify assets prior to conducting a risk assessment. While this is technically true of the SP, I have to point out that assets are identified in NIST SP 800-37 prior to assessing risk; asset identification is covered/handled in Phase 1 of the NIST Risk Management Framework (RMF) prior to assessing risks on the identified assets using the 800-30. If assets aren't first identified, how do we know what threat sources are relevant, if for example the asset is a computer network vs the world's most comfortable bed? In NIST SP 800-37 Revision 2, Task P-10 is Asset Identification while subsequent Task P-14 is Risk Assessment on the earlier identified assets using NIST SP 800-30. And in a prior Task P-3, there's also a risk assessment for the organization itself, which of course is already identified if it's seeking to assess risks on itself. I suggest not to use any NIST SP in isolation because their contents are intertwined so as to avoid misunderstanding them. Better yet, use the 800--37 as a reference point because it ties together relevant NIST SPs as they apply in their respective RMF process.
I listened to this entire video while I went for a run and came back to the comments. This comment really tied it all together for me. Coming from an RMF perspective your right, NIST 800-37 ties them all together from a wholistic point of view. Which make this video much more palatable. Thanks
These Frameworks are not holy grails and are guidance for the most part. For example, some well seasoned Risk professionals would only apply what makes sense to their organization only. Some even prefer FAIR framework/approach, which NIST has also been recommending.
@@bggees You mean the Frameworks can be "tailored" to your org's needs? Yes, but that's a different argument. If it provides guidance to identify assets prior to assessments and you tailor out that step, it's on you. And tailoring out critical steps is where org's get into trouble that result in flaws and gaps in their security program/processes. Bottom line is that you have to identify the asset(s) in scope before you do whatever you need to do.
