Ask the Expert

How to choose a general security risk assessment

How do I decide what type of security risk assessment is right for my organization?

    Requires Free Membership to View

The short answer is: Whichever type most effectively communicates the risk to the organization's executives. As I mentioned in another risk assessment question, there are quite a number of different frameworks to choose from, such as FAIR, OCTAVE, SOMAP and the emerging ISO 27005 standard. At first blush, though, it seems that choosing a framework is a daunting task.

I'm going to let you in on one of the dirty secrets of the risk assessment world: It doesn't really matter which framework you use, as long as you apply the model consistently you will get similar results with each of the frameworks. The trick to deciding is to choose the one that most closely resembles the way your organization already does business, so that throughout the assessment the organization can leverage as many existing processes as possible, minimizing disruption to the business.

So for instance, if you work for a U.S. Federal government agency, then this choice has been made for you by the Federal Information Security Management Act of 2002 (FISMA), which points to NIST 800-30 for the process to follow. If you don't work for the U.S. government, then I recommend talking with your CIO, CRO, CFO or audit group to see if they have a preference toward or experience with any of the frameworks mentioned above; I'd recommend choosing a framework that many people in the organization have experience with, as it will make the entire process run more smoothly. This is also a prime opportunity to find out what sort of information the executives are interested in seeing and what format they'd like to see it in. If you do your homework right, when you come back to present your results, you will look even more effective.

For more information:

This was first published in February 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: