Problem solve Get help with specific problems with your technologies, process and projects.

How to choose a general security risk assessment

Looking to do a general security risk assessment, but aren't sure how to choose one? In this security management expert response, David Mortman explains how to assess risk and get the funding you need to mitigate it.

How do I decide what type of security risk assessment is right for my organization?

The short answer is: Whichever type most effectively communicates the risk to the organization's executives. As I mentioned in another risk assessment question, there are quite a number of different frameworks to choose from, such as FAIR, OCTAVE, SOMAP and the emerging ISO 27005 standard. At first blush, though, it seems that choosing a framework is a daunting task.

I'm going to let you in on one of the dirty secrets of the risk assessment world: It doesn't really matter which framework you use, as long as you apply the model consistently you will get similar results with each of the frameworks. The trick to deciding is to choose the one that most closely resembles the way your organization already does business, so that throughout the assessment the organization can leverage as many existing processes as possible, minimizing disruption to the business.

So for instance, if you work for a U.S. Federal government agency, then this choice has been made for you by the Federal Information Security Management Act of 2002 (FISMA), which points to NIST 800-30 for the process to follow. If you don't work for the U.S. government, then I recommend talking with your CIO, CRO, CFO or audit group to see if they have a preference toward or experience with any of the frameworks mentioned above; I'd recommend choosing a framework that many people in the organization have experience with, as it will make the entire process run more smoothly. This is also a prime opportunity to find out what sort of information the executives are interested in seeing and what format they'd like to see it in. If you do your homework right, when you come back to present your results, you will look even more effective.

For more information:

This was last published in February 2009

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.