This document offers an integrated approach to managing information security risks across an organization, focusing on organizational operations, assets, individuals, and national interests. It provides a broad-based strategy for risk management, emphasizing its harmonization with existing enterprise risk management programs rather than substituting them. SP 800-39 serves as a foundational guideline, complementing other NIST security standards and methods by addressing the planning, assessment, and continuous monitoring of risks. The framework underscores roles, responsibilities, and strategies to implement an effective, enterprise-wide information security risk management program.
#risk management#information security#enterprise risk#guidance#continuous monitoring#federal systems