Risk management methodologies

BROWSE BY TAG Security Management,   Enterprise Risk Management: Metrics and Assessments,   Information Security Management,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Management How to prepare for a FERPA audit Why doesn't the CISSP cover information assurance and DIACAP? Data breach notification legislation: What info must be released? Risk management strategy for an information technology solution provider Are there guidelines to create a HIPAA-compliant data center? HHS HIPAA guidance on encryption requirements and data destruction Writing a patient identifier policy to prevent common HIPAA violations How to write technology outsourcing contracts The requirements for being a PCI DSS-compliant service provider The requirements needed to make an external penetration test legal Enterprise Risk Management: Metrics and Assessments How to justify information security spending on cloud computing Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management Enterprise Risk Management: Metrics and Assessments Research

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

The NIST 800-30 provides high-level guidelines that explain what risk management is, and the phases and steps that should be integrated into every risk management effort. The document can be found at http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf.

OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) is one of the best known risk management methodologies. It is a structured approach to evaluating risk that addresses operational risk, security practices and the technology that is used to mitigate the recognized risk. The goal of this approach, compared to others, is that it takes a more strategic approach compared to a tactical one. It not only focuses on the technology but the practices and processes also. This is also a methodology that a company can learn and use in-house instead of requiring security consultants to run this type of program. You can find out more information on OCTAVE at http://www.cert.org/octave/..

Although each industry has its own risks, the methodology that is used to assess the risks can be the same. You can look at the methodology that the Department of Agriculture used and how it was implemented at http://www.ocio.usda.gov/directives/files/dm/DM3540-001.htm.

Unfortunately, many vendors refer to their products as "risk management tools" when in truth they are vulnerability management tools. There is a difference between vulnerability management and risk management. Vulnerability management is identifying the holes in the environment that can allow the bad guy to do something malicious. Identifying these holes is the easiest piece to the equation and today we have a variety of tools that carry out vulnerability management. Risk management is totally different. Risk is the calculation of the PROBABILITY of a vulnerability being exploited and the BUSINESS IMPACT if that particular threat is realized. Risk management is much more difficult and complex than vulnerability management.

I will not indicate which risk management tool is better than another, because I personally have not carried out a side-by-side bakeoff. But as a consumer I would investigate Riskwatch and their product suit, Protiviti, and TruSecure's Risk Commander.