
	Risk Assessment and Analysis


	Home > Ask the Security Experts > Security Management Questions & Answers > Risk management methodologies

Ask The Security Expert: Questions & Answers

EMAIL THIS

Risk management methodologies

EXPERT RESPONSE FROM: Shon Harris

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 24 August 2005
What is the best tool for risk assessment? Also, is there a recommended security risk assessment methodology?

EXPERT RESPONSE

The NIST 800-30 provides high-level guidelines that explain what risk management is, and the phases and steps that should be integrated into every risk management effort. The document can be found at http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf.

OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) is one of the best known risk management methodologies. It is a structured approach to evaluating risk that addresses operational risk, security practices and the technology that is used to mitigate the recognized risk. The goal of this approach, compared to others, is that it takes a more strategic approach compared to a tactical one. It not only focuses on the technology but the practices and processes also. This is also a methodology that a company can learn and use in-house instead of requiring security consultants to run this type of program. You can find out more information on OCTAVE at http://www.cert.org/octave/..

Although each industry has its own risks, the methodology that is used to assess the risks can be the same. You can look at the methodology that the Department of Agriculture used and how it was implemented at http://www.ocio.usda.gov/directives/files/dm/DM3540-001.htm.

Unfortunately, many vendors refer to their products as "risk management tools" when in truth they are vulnerability management tools. There is a difference between vulnerability management and risk management. Vulnerability management is identifying the holes in the environment that can allow the bad guy to do something malicious. Identifying these holes is the easiest piece to the equation and today we have a variety of tools that carry out vulnerability management. Risk management is totally different. Risk is the calculation of the PROBABILITY of a vulnerability being exploited and the BUSINESS IMPACT if that particular threat is realized. Risk management is much more difficult and complex than vulnerability management.

I will not indicate which risk management tool is better than another, because I personally have not carried out a side-by-side bakeoff. But as a consumer I would investigate Riskwatch and their product suit, Protiviti, and TruSecure's Risk Commander.

Sound Off! -

Be the first to post a message to Sound Off!

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Security Management
	Is it against HIPAA regulations to permanently store sensitive information?
	Two-tier distributed systems vs. three-tier distributed systems
	How to prevent software piracy
	How do ISO 17799 and SAS 70 differ?
	Has FFIEC made any VoIP-specific mandates?
	How are the PCI DSS deadline extensions affecting corporations' desire to become compliant?
	What are the roles of a liaison officer?
	Why are there still various independent credit card security standards?
	What is the best way to administer exams to students via computer?
	How can birth certificate fraud and passport fraud be prevented?

Risk Assessment and Analysis

Security data lapses hamper researchers

Panel: IT governance, risk and compliance program helps reduce expenses

Like MLB scouts, IT security pros are turning to metrics

Google shares struggle to manage security complexities

GRC Tools Help Manage Regulations

Interview: Financial Services CISO David Pollino

The New School of Information Security

Penetration testing: Helping your compliance efforts

Failure mode and effects analysis: Process and system risk assessment

The pros and cons of data breach insurance

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

risk analysis (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Advanced Search | Site Index

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2003 - 2008, TechTarget \| Read our Privacy Policy