Manage Learn to apply best practices and optimize your operations.

Best practices for risk management programs

In this Ask the Expert Q&A our security management guru reviews a variety of standards and methodologies to determine what and how to use them throughout an organization's information security program.

Our risk categories vary from IT, info security, operational, etc., and we have a lot of standards to comply with (ISO 17799, COBIT, Basel II, ITL, COSO, SOX, etc.). What is the best methodology (Octavia, COBIT for processes of IT and auditing, ALE for security, some statistical techniques, etc.) and how should we aggregate those measures (from assessment process) to common risk severity index? There are also many tools to choose from, which embraces all the specifics in practice?

Last month I explained ISO 17799, IT Infrastructure Library and COBIT to some degree. Although this is a terrific question, I cannot really answer it and do it justice in this format. I am currently writing a series for SearchSecurity.com. The first installment will cover risk management and analysis, and the Octave methodology. The second will outline COBIT, ITL and ISO 17799, as well as how to use these methods in an integrated manner (mainly how to combine COBIT, ITIL and ISO 17799), which can be used to be compliant with SOX, GLBA, and HIPAA. The third installment will compare and contrast current risk management tools and technologies, explain which methodologies they follow as well as their benefits and hidden downfalls. Look for these tips which will be launching soon.

In the meantime, here is a quick and dirty answer to your question:

  • ISO 17799 is the globally agreed upon way of setting up an organizational security program.
  • COBIT has become the de facto standard of ensuring the right controls are put into place to protect IT assets and data.
  • SOX and GLBA are built around COBIT, which means that the auditors will be following the COBIT methodology to verify if you are complaint with these regulations.
  • HIPAA is built on NIST standards. NIST has their own standards on how to secure assets, but these best practices are not as detailed and structured as COBIT.
  • Octave is a qualitative risk management methodology, which is integrated with many of the other listed standards, although usually not fully. Octave can be very time consuming, but if done right, it is very robust.
  • COSO is a methodology to ensure that financial reporting is not done fraudulently and it defines controls and a criterion to protect assets.
  • ITIL is a methodology of how to develop and implement business processes with the focus of how the IT group can best serve its internal customers.

If you have to be SOX or GLBA compliant, start learning COBIT. I also believe it is critical for all organizations to start learning risk management. Octave is a great approach and after you understand its basics, you can choose if you want to use the full methodology or just components of it. There is an Octave methodology for large organizations and another version for smaller organizations.

Also, it's important to note that while there are several methodologies and approaches, when you boil them all down, there's about a 60-70% overlap between them. Information security is information security. Each has its own focus (process-oriented, control-oriented, risk management oriented, financial records oriented, etc.). The real "gold" is to find how to use pieces and parts of them to provide the best approach for your organization's needs.

This was last published in December 2005

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.