The short answer is: Whichever type most effectively communicates the risk to the organization's executives. As I mentioned in another risk assessment question, there are quite a number of different frameworks to choose from, such as FAIR, OCTAVE, SOMAP and the emerging ISO 27005 standard. At first blush, though, it seems that choosing a framework is a daunting task.
I'm going to let you in on one of the dirty secrets of the risk assessment world: It doesn't really matter which framework you use, as long as you apply the model consistently you will get similar results with each of the frameworks. The trick to deciding is to choose the one that most closely resembles the way your organization already does business, so that throughout the assessment the organization can leverage as many existing processes as possible, minimizing disruption to the business.
So for instance, if you work for a U.S. Federal government agency, then this choice has been made for you by the Federal Information Security Management Act of 2002 (FISMA), which points to NIST 800-30 for the process to follow. If you don't work for the U.S. government, then I recommend talking with your CIO, CRO, CFO or audit group to see if they have a preference toward or experience with any of the frameworks mentioned above; I'd recommend choosing a framework that many people in the organization have experience with, as it will make the entire process run more smoothly. This is also a prime opportunity to find out what sort of information the executives are interested in seeing and what format they'd like to see it in. If you do your homework right, when you come back to present your results, you will look even more effective.
For more information:
- What types of software can help a company perform a security risk assessment? Read more.
- Learn how to get information security buy-in from the executive team.
This was first published in February 2009