I will discuss three of the top information security risk assessment methodologies; OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation), FAIR (Factor Analysis of Information Risk), and NIST RMF (National Institute of Standards and Technology’s Risk Management Framework) . Included will be a brief overview of each including three pros and cons associated with the use of each one. Lastly, I will discuss my recommendations and the reasoning behind why.
Risk Assessment Methodologies
OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) tools, techniques, and methods that are used in risk based information security for strategic assessment and planning. OCTAVE considers assets to be people, computer systems, software, hardware, and sensitive private information. Three representations that form the body of knowledge for OCTAVE:
- Octave, aimed at organizations with 300 or more people.
- Octave-S, Similar to the original but aimed at organizations with limited security and risk-management resources.
- OCTAVE-Allegro, a streamlined approach to information security assessment and assurance.
Among many of the key characteristics of OCTAVE is that it’s self directed through small teams of workgroups across all business units working together to address the IT needs of the organization. OCTAVE is also designed to be flexible as each method can be individually designed to meet the needs of individual risks, security needs, and skill level. A very talented group of individuals who worked on putting together OCTAVE are respected experts in their fields.
Three PROS to using OCTAVE;
- It’s very well designed and freely available.
- Collaboration is emphasized across all business units forming a more cohesive response unit.
- OCTAVE looks at all aspects of information security risk from physical, technical and people viewpoints.
Three cons to using OCTAVE;
- It’s complex to use.
- Organizations don’t have the ability to mathematically model risk.
- It’s solely qualitative methodology
FAIR (Factor Analysis of Information Risk) is a framework for comprehending, examining and evaluating information risk. FAIR is intended to address weaknesses in security practices within organizations. The framework is designed to allow organizations to address a unified practice in regards to risk; utilize risk assessments and apply them to any asset or object; have an overview of total organizational risk; challenge determined risks using innovative evaluations; and understand the affects that time and money impact the organization’s overall security profile.
Three pros to using FAIR;
- It is not subject to the limits of ordinary scaling techniques.
- It accounts for the true scientific developing of loss disclosures.
- It contains additional comprehensive definitions of threats, vulnerabilities and risks.
Three cons to using FAIR;
- Difficult to use.
- It’s not thoroughly documented as other methods.
- Virtually no access to existing material regarding the methodology or illustrations in what way the methodology is used.
NIST RMF (National Institute of Standards and Technology’s Risk Management Framework). Just over 10 years old, NIST is comprised of mature processes that have been proven in the field of risk management. NISTS’s risk management framework was designed to administer software induced business risks. This framework permits a coherent and recyclable expertise-driven methodology to risk management. Due to software risk management activities the basis for measurement and communal metrics develops allowing organizations to improve business management and technical risks given precise quality objectives. This in turn allows the organization to make better-informed and unbiased business assessments in regards to software helping improve core software development practices permitting better-managed software risks.
The RMF consists of the five fundamental activity stages:
- Comprehension of business environment.
- Identification of technical and business risks.
- Ranked sets, which are produced by, synthesizes to prioritize the risks.
- Definitions of risk mitigation strategies.
- Validation of fixes that have been completed.
Three pros to using NIST;
- Tasked by Congress to ensure that security principles and instruments are examined, confirmed and established to provide a high level of information security infrastructure.
- The framework is frequently assessed and restructured as new technologies are established and new laws are passed.
- Additional tools that support the NIST standards have been developed by Independent companies have.
Three cons to using NIST;
- Strict discipline is required to input realistic data into the model in order to get credible data outputs.
- People’s aspirations are sometimes very subjective which could potentially impact results since it is not an automated tool but a documented framework.
- It depends on incessant and reliable identification and stowing of risk data as it fluctuates over time.
The true intention behind any risk management framework is to take the guessing out of evaluating IT risk. Virtually all organizations consider assessing and managing risk an extremely high priority. Given the turbulent state of IT security in today’s society, security vulnerabilities tend to be on the rise and the need to be complaint with a vast number of regulations presents a huge challenge in and of itself. As a result, several IT risk management frameworks have evolved over the years helping guide security and risk management executives through an overwhelmingly daunting process. Organizations could only benefit from these frameworks making doing business much more viable.
Pantizis. (2011, 9 26). Risk Analysis Management and Methodology. Retrieved 8 2, 2015, from IT Security Office: http://itsecurityoffice.blogspot.com
One thought on “Risk Assessment Methodologies”
regarding NIST, the biggest con is the fact that it does not define acceptable risk. It has a DAA (Designated Approving Authority) that has the ability to accept risk arbitrarily.