Riskmanagementinsight.com (my favorite blog on Risk Management) had an article today called Risk Management and Analysis Standards Update. One of the announcements was a press release from The Open Group:
SAN FRANCISCO, June 17, 2008 – The Open Group, a vendor- and technology-neutral consortium focused on open standards and global interoperability within and between enterprises, today announced that the organization’s Security Forum has initiated work on a risk management and analysis taxonomy standard. This is the first phase of a comprehensive initiative aimed at eliminating widespread industry confusion about risk management among risk managers, security and IT professionals as well as business managers. Risk management vendors and their customers interested in getting involved can learn more here: http://www.opengroup.org/security.Read full press release.
I had a further look at the website of The Open Group and found that they had some publications that were downloadable for free like Enterprise Security Architecture or Architecture for Public-Key Infrastructure (APKI). Might be interesting as a later reference.
But another thing I noticed when reading the original blog post was an overview of Risk Management frameworks:
Some folks may be thinking “do we really need another risk management effort?” And really, I sympathize with the thought. There’s ISO risk management stuff, there’s OCTAVE and NIST 800-30 and AS/NZ 4360 and CRAM and FRAP and others…
And this is where I think FAIR and The Open Group have a good fit. FAIR as a model for analysis, does not compete but rather compliments OCTAVE and NIST 800-30 and ISO 2700x (That reminds me, Rybolov, I’ve got to respond to your 800-30 article). In fact, one of the goals for the work with The Open Group is supporting documentation (call them white papers or guidance letters or whatever) that talks about how to use FAIR and the work of The Open Group Forum with ISO 27001 or as probability determination within OCTAVE, or in context with COSO efforts, etc…
I updated the above part with some links to the appropriate resources. I worked with some of these frameworks but I must have a closer look at OCTAVE and FAIR. Something more for the TODO list.
Related articles:
- How to detect and prevent insider threats
- Cyberattack: A risk management primer for CEOs and directors
- Deming's principles applied to IT security programs
- NIST drafts guidance on risk management
- Fun: 12 More Security Features and Rules Most Likely to Mess Up from Gartner
- Alliance for Enterprise Security Risk Management and ISSA
- Information Security Management Top Ten
- ENISA presents a Legal Overview in Risk Management
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
1 comments:
Thanks for the kind post!
I think that you'll find that most of those frameworks (OCTAVE, 800-30, COSO, etc...) add more benefit in developing a process*around* risk analysis, not the means for risk analysis itself (FRAP and CRAM, however, are more analysis than process).
Post a Comment