Managing Information Security Risk: Organization, Mission, and Information System View

Published: March 22, 2011


Shirley M. Radack


This bulletin summarizes the information presented in NIST Special Publication (SP) 800-39, Integrated Enterprise-Wide Risk Management: Organization, Mission and Information System View. This publication was developed by the Joint Task Force Transformation Initiative, a joint partnership among the Department of Defense, the Intelligence Community, NIST, and the Committee on National Security Systems. SP 800-39 provides a structured, yet flexible approach for managing risk that is supported by other NIST security standards and guidelines. The bulletin discusses the contents of the publication, explains the basic concepts and components of risk management, and describes a three-tiered risk management approach that allows organizations to establish an enterprise-wide risk management strategy as part of their governance structure. References are provided to additional sources of information on risk management.
Citation: ITL Bulletin -
NIST Pub Series: ITL Bulletin
Pub Type: NIST Pubs

Download Paper


confidentiality, cyber security, enterprise architecture, Federal Information Processing Standards, Federal Information Security Management Act, FISMA, information security, information security architecture, information security risk, information systems, Joint Task Force Transformation Initiative, NIST Special Publications, risk assessments, risk management, Risk Management Framework, security controls, security plans, security requirements, security risks, threats, vulnerabilities
Created March 22, 2011, Updated February 19, 2017