Fundamental Information Risk Management
Where can I receive information about FIRM (Fundamental Information Risk Management)? Is it an information risk management methodology?
There are several risk management methodologies available in the industry today. They include:
- Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
- CCTA Risk Analysis and Management Method (CRAMM)
- Information Security Forum's Fundamental Information Risk Management (FIRM)
- Commonly Accepted Security Practices and Regulations (CASPR)
- Control Objectives for Information and (Related) Technology (COBIT)
- A portion of ISO 17799
Fundamental Information Risk Management (FIRM) was developed by a consortium of corporations that make up the Information Security Forum (ISF). ISF is a not-for-profit that organizations can join by paying an annual fee. FIRM provides outlined processes to carry out a structured risk assessment. This approach to risk management requires the owner of each business resource or asset to fill out a scorecard to measure the five elements of risk:
- The vulnerability of various elements in your resource
- Any special circumstances affecting your resource, such as the maturity or complexity of technology
- The level of threat
- The potential business impact of a breach or denial-of-service
After each owner supplies this information, the program director (often the security officer) correlates the data to provide a holistic view of the organization's risk posture as it relates to the identified assets. The goal is to identify the business impact if one or more of these assets are negatively affected. The scorecards are mapped together to provide a visual representation of the data that has been entered and collected.
Citicus has created a risk management tool, Citicus ONE, which is based mainly on the FIRM assessment methodology.
FIRM is more popular outside of the U.S. and COBIT and OCTAVE are more industry-accepted approaches to IT governance and risk assessment methodologies.
I had difficulties accessing FIRM documentation, which leads me to believe you will need to contact Information Security Forum directly and most likely pay to become a member in order to access their documentation. You can contact them via Tel: +44 (0)20 7212 5346, or E-mail: firstname.lastname@example.org or email@example.com.
Discover other available risk management tools.
Attend this on-demand webcast and learn other security management practices.
This was first published in September 2005