Information Security

 Risk Assessment and Risk Management

Risk is the likelihood of the occurrence of a vulnerability multiplied by the value of the information asset minus the percentage of risk mitigated by current controls plus the uncertainty of current knowledge of the vulnerability.

The EPCC Risk Assessment Program is intended to provide departments with the information and tools they need to properly manage the security risks associated with their information technology assets.

Risk assessments are one part of risk management of information resources. The EPCC Risk Assessment survey for departmental use is available here: Risk Assessment Survey packet (PDF)


Organizations in all sectors of the economy depend upon information systems and communications networks, and share common requirements to protect sensitive information. ITL works with industry and government to establish secure information technology systems for protecting the integrity, confidentiality, reliability, and availability of information.

Under the Computer Security Act of 1987 (P.L. 100-235), the Computer Security Division of the Information Technology Laboratory (ITL) develops computer security prototypes, tests, standards, and procedures to protect sensitive information from unauthorized access or modification. Focus areas include cryptographic technology and applications, advanced authentication, public key infrastructure, internetworking security, criteria and assurance, and security management and support.

These publications present the results of NIST studies, investigations, and research on information technology security issues. Here is their Risk Management Guide.   National Institute of Standards and Technology Special Publication 800-30