Choosing the right information security risk assessment framework


This article can also be found in the Premium Editorial Download "Information Security magazine: Best practices for securing virtual machines."

Download it now to read this article plus other related content.

Many regulations and virtually all security frameworks require some objective assessment of risks. The reason is simple: Security controls should be selected based on real risks to an organization's assets and operations. The alternative -- selecting controls without a methodical analysis of threats and controls -- is likely to result in implementation of security controls in the wrong places, wasting resources while at the same time, leaving an organization vulnerable to unanticipated threats.


    Requires Free Membership to View

risk assessment framework establishes the rules for what is assessed, who needs to be involved, the terminology used in discussing risk, the criteria for quantifying, qualifying, and comparing degrees of risk, and the documentation that must be collected and produced as a result of assessments and follow-on activities. The goal of a framework is to establish an objective measurement of risk that will allow an organization to understand business risk to critical information and assets both qualitatively and quantitatively. In the end, the risk assessment framework provides the tools necessary to make business decisions regarding investments in people, processes, and technology to bring risk to acceptable level.

Two of the most popular risk frameworks in use today are OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), developed at Carnegie Mellon University, and the NIST risk assessment framework documented in NIST Special Publication 800-30. Other risk frameworks that have a substantial following are ISACA's RISK IT (part of COBIT), and ISO 27005:2008 (part of the ISO 27000 series that includes ISO 27001 and 27002). All the frameworks have similar approaches but differ in their high level goals. OCTAVE, NIST, and ISO 27005 focus on security risk assessments, where RISK IT applies to the broader IT risk management space.

How does a company know which framework is the best fit for its needs? We'll provide an overview of the general structure and approach to risk assessment, draw a comparison of the frameworks, and offer some guidance for experimentation and selection of an appropriate framework.

This was first published in March 2011

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: