Security Management Strategies for the CIO
This article can also be found in the Premium Editorial Download "Information Security magazine: Best practices for securing virtual machines."
Download it now to read this article plus other related content.
Many regulations and virtually all security frameworks require some objective assessment of risks. The reason is simple: Security controls should be selected based on real risks to an organization's assets and operations. The alternative -- selecting controls without a methodical analysis of threats and controls -- is likely to result in implementation of security controls in the wrong places, wasting resources while at the same time, leaving an organization vulnerable to unanticipated threats.
A
Requires Free Membership to View
risk
assessment framework establishes the rules for what is assessed, who needs to be involved, the
terminology used in discussing risk, the criteria for quantifying, qualifying, and comparing
degrees of risk, and the documentation that must be collected and produced as a result of
assessments and follow-on activities. The goal of a framework is to establish an objective
measurement of risk that will allow an organization to understand business risk to critical
information and assets both qualitatively and quantitatively. In the end, the risk assessment
framework provides the tools necessary to make business decisions regarding investments in people,
processes, and technology to bring risk to acceptable level.
Two of the most popular risk frameworks in use today are OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), developed at Carnegie Mellon University, and the NIST risk assessment framework documented in NIST Special Publication 800-30. Other risk frameworks that have a substantial following are ISACA's RISK IT (part of COBIT), and ISO 27005:2008 (part of the ISO 27000 series that includes ISO 27001 and 27002). All the frameworks have similar approaches but differ in their high level goals. OCTAVE, NIST, and ISO 27005 focus on security risk assessments, where RISK IT applies to the broader IT risk management space.
How does a company know which framework is the best fit for its needs? We'll provide an overview of the general structure and approach to risk assessment, draw a comparison of the frameworks, and offer some guidance for experimentation and selection of an appropriate framework.
This was first published in March 2011
Join the conversationComment
Share
Comments
Results
Contribute to the conversation