This article can also be found in the Premium Editorial Download "Information Security magazine: Best practices for securing virtual machines."
Download it now to read this article plus other related content.
Many regulations and virtually all security frameworks require some objective assessment of risks. The reason is simple: Security controls should be selected based on real risks to an organization's assets and operations. The alternative -- selecting controls without a methodical analysis of threats and controls -- is likely to result in implementation of security controls in the wrong places, wasting resources while at the same time, leaving an organization vulnerable to unanticipated threats.
Two of the most popular risk frameworks in use today are OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), developed at Carnegie Mellon University, and the NIST risk assessment framework documented in NIST Special Publication 800-30. Other risk frameworks that have a substantial following are ISACA's RISK IT (part of COBIT), and ISO 27005:2008 (part of the ISO 27000 series that includes ISO 27001 and 27002). All the frameworks have similar approaches but differ in their high level goals. OCTAVE, NIST, and ISO 27005 focus on security risk assessments, where RISK IT applies to the broader IT risk management space.
How does a company know which framework is the best fit for its needs? We'll provide an overview of the general structure and approach to risk assessment, draw a comparison of the frameworks, and offer some guidance for experimentation and selection of an appropriate framework.
This was first published in March 2011