What kind of security risk assessment methodology does MS2 use and does it conform to NIST (National Institute of Standards) protocols?

MS2 bases its security risk assessment methodology on NIST Risk Management Guide for Information Technology Systems (Special Publication 800-30). MS2 relies on this detailed publication since it has become a core resource for most groups that promulgate security standards.

The MS2 risk assessment methodology is both quantitative and a qualitative, following the NIST guidelines. It includes:

• Assessing information security safeguards (i.e., policies, procedures, and security controls or security safeguards) against the threats and vulnerabilities applicable to the information technology and business circumstances of the organization.
• Assigning the likelihood (i.e., probability) and the business impact factor for each vulnerability.
• Calculating risk vulnerability and organizational risk scores based upon the safeguards in place and planned against the likelihood and the impact of the vulnerabilities.

MS2 is a complete information security compliance solution that includes a robust threat and vulnerability risk assessment, a compliance gap assessment including business rationales for not addressing gaps, compliance tracking, and a comprehensive set of easy-to-use compliance reports. MS2 incorporates its results into the security management framework provided through NIST and well as the framework of other organizations such as ITGI and ISO.