cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
djscoot215
Viewer II

DDoS Risk Assessment

My organization received a recommendation from a third-party audit that we conduct a DDoS specific risk assessment. Are there any publicly available tools or templates for this specific purpose? Any help is appreciated!

2 Replies
Until_then
Contributor I

You can check NIST SP 800-30 which describes how to conduct a risk assessment. Conducting a control assessment (utilizing NIST SP 800-53A) is a good start to see how well the controls are actually working. You can then conduct a risk assessment to see if the working controls mitigated the risk to your organization's risk tolerance level.

 

Always keep in mind the basics of what risk is: It's the likelihood of a threat exploiting a vulnerability and the resulting impact. 

 

Look at the various threats then determine the vulnerabilities of your information system. The impact caused by those threats (e.g., high, moderate, or low impact) is a subjective matter, dependent on your organization's opinion on the compromise of its data. 

iluom
Contributor II

 

Is there any framework or something as such from NIST to define the scope and goals of Annual Pen testing of a software product?

Chandra Mouli, CISSP, CCSP, CSSLP