Ask the Expert

Fundamental Information Risk Management

Where can I receive information about FIRM (Fundamental Information Risk Management)? Is it an information risk management methodology?

    Requires Free Membership to View

There are several risk management methodologies available in the industry today. They include:
  • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
  • CCTA Risk Analysis and Management Method (CRAMM)
  • Information Security Forum's Fundamental Information Risk Management (FIRM)
  • Commonly Accepted Security Practices and Regulations (CASPR)
  • Control Objectives for Information and (Related) Technology (COBIT)
  • A portion of ISO 17799
Fundamental Information Risk Management (FIRM) was developed by a consortium of corporations that make up the Information Security Forum (ISF). ISF is a not-for-profit that organizations can join by paying an annual fee. FIRM provides outlined processes to carry out a structured risk assessment. This approach to risk management requires the owner of each business resource or asset to fill out a scorecard to measure the five elements of risk:
  • Criticality
  • The vulnerability of various elements in your resource
  • Any special circumstances affecting your resource, such as the maturity or complexity of technology
  • The level of threat
  • The potential business impact of a breach or denial-of-service
After each owner supplies this information, the program director (often the security officer) correlates the data to provide a holistic view of the organization's risk posture as it relates to the identified assets. The goal is to identify the business impact if one or more of these assets are negatively affected. The scorecards are mapped together to provide a visual representation of the data that has been entered and collected.

Citicus has created a risk management tool, Citicus ONE, which is based mainly on the FIRM assessment methodology.

FIRM is more popular outside of the U.S. and COBIT and OCTAVE are more industry-accepted approaches to IT governance and risk assessment methodologies.

I had difficulties accessing FIRM documentation, which leads me to believe you will need to contact Information Security Forum directly and most likely pay to become a member in order to access their documentation. You can contact them via Tel: +44 (0)20 7212 5346, or E-mail: becky.meyjes@securityforum.org or isfinfo@securityforum.org.


More Information:
  • Discover other available risk management tools.
  • Attend this on-demand webcast and learn other security management practices.

  • This was first published in September 2005

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: