topic DDoS Risk Assessment in Governance, Risk, Compliance

DDoS Risk Assessment

djscoot215 — Wed, 01 Dec 2021 15:49:39 GMT

My organization received a recommendation from a third-party audit that we conduct a DDoS specific risk assessment. Are there any publicly available tools or templates for this specific purpose? Any help is appreciated!

Re: DDoS Risk Assessment

Until_then — Wed, 01 Dec 2021 18:43:11 GMT

You can check NIST SP 800-30 which describes how to conduct a risk assessment. Conducting a control assessment (utilizing NIST SP 800-53A) is a good start to see how well the controls are actually working. You can then conduct a risk assessment to see if the working controls mitigated the risk to your organization's risk tolerance level.

Always keep in mind the basics of what risk is: It's the likelihood of a threat exploiting a vulnerability and the resulting impact.

Look at the various threats then determine the vulnerabilities of your information system. The impact caused by those threats (e.g., high, moderate, or low impact) is a subjective matter, dependent on your organization's opinion on the compromise of its data.

Re: DDoS Risk Assessment

iluom — Thu, 02 Dec 2021 18:26:53 GMT

Is there any framework or something as such from NIST to define the scope and goals of Annual Pen testing of a software product?