The NIST 800-30 provides high-level guidelines that explain what risk management is, and the phases and steps that should be integrated into every risk management effort. The document can be found at http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf.
OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) is one of the best known risk management methodologies. It is a structured approach to evaluating risk that addresses operational risk, security practices and the technology that is used to mitigate the recognized risk. The goal of this approach, compared to others, is that it takes a more strategic approach compared to a tactical one. It not only focuses on the technology but the practices and processes also. This is also a methodology that a company can learn and use in-house instead of requiring security consultants to run this type of program. You can find out more information on OCTAVE at http://www.cert.org/octave/..
Although each industry has its own risks, the methodology that is used to assess the risks can be the same. You can look at the methodology that the Department of Agriculture used and how it was implemented at http://www.ocio.usda.gov/directives/files/dm/DM3540-001.htm.
Unfortunately, many vendors refer to their products as "risk management tools" when in truth they are vulnerability management tools. There is a difference between vulnerability management and risk management. Vulnerability management is identifying the holes in the environment that can allow the bad guy to do something malicious. Identifying these holes is the easiest piece to the equation and today we have a variety of tools that carry out vulnerability management. Risk management is totally different. Risk is the calculation of the PROBABILITY of a vulnerability being exploited and the BUSINESS IMPACT if that particular threat is realized. Risk management is much more difficult and complex than vulnerability management.
I will not indicate which risk management tool is better than another, because I personally have not carried out a side-by-side bakeoff. But as a consumer I would investigate Riskwatch and their product suit, Protiviti, and TruSecure's Risk Commander.
This was first published in August 2005