--Originally published at Mental Droppings of a Tired Student
Before we get into this topic, we must ask ourselves, what is risk management?According to Certified Information Systems Auditor Review Manual 2006 produced by ISACA, an international professional association focused on IT Governance, risk management is:
“The process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization.”
So the use of a framework formalizes risk assessment methodologies, in other words, they try to take guesswork out of evaluating IT risks. Evidently, assessing and managing risk is a high priority for many organizations, and guessing your way around these assessments would be extremely unwise. Given the ever-changing state of information security vulnerabilities, evaluating IT risks is a huge challenge.
Several formal IT risk-assessment frameworks have emerged over the years to help guide security and risk executives through the process.
Here are some IT risk management frames:
- Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
- Factor Analysis of Information Risk (FAIR)
- the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF)
- Threat Agent Risk Assessment (TARA)
OCTAVE
OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation), developed at the CERT Coordination Center at Carnegie Mellon University, is a suite of tools, techniques and methods for risk-based infosec strategic assessment and planning.
OCTAVE defines assets as including people, hardware, software, information and systems. The OCTAVE methods have several key characteristics. One is that they’re self-directed: Small teams of personnel across business units and IT work together to address the security needs of the organization. Another is that they’re designed to be flexible. Each method can be customized to address an organization’s particular risk environment, security needs and level
OCTAVE stengths:
- It’s thorough and well documented.It’s been around a while and is very well-defined and freely available
- Because the methodology is self-directed and easily modified, it can be used as the foundation risk-assessment component or process for other risk methodologies.
- Having a small analysis team encompassing members of IT and the business. This promotes collaboration on any found risks and provides business leaders [with] visibility into those risks.
- OCTAVE looks at all aspects of information security risk from physical, technical and people viewpoint.
OCTAVE weaknesses:
Experts say one of the drawbacks of OCTAVE is its complexity. “When it shipped, we spent hours trying to understand what it was that this package was going to do for us,” says Adam Rice, global CSO and vice president of managed security services at Tata Communications, a provider of communications services.
FAIR
FAIR (Factor Analysis of Information Risk) is a framework for understanding, analyzing and measuring information risk. According to Jack Jones, the former CISO of Nationwide Mutual Insurance, information security practices to date have generally been inadequate in helping organizations effectively manage information risk.
FAIR is designed to address security practice weaknesses. The framework aims to allow organizations to speak the same language about risk; apply risk assessment to any object or asset; view organizational risk in total; defend or challenge risk determination using advanced analysis; and understand how time and money will affect the organization’s security profile.
Components of the framework include a taxonomy for information risk, standardized nomenclature for information-risk terms, a framework for establishing data-collection criteria, measurement scales for risk factors, a computational engine for calculating risk and a model for analyzing complex risk scenarios.
FAIR strengths:
- The common language used. The FAIR vernacular allows the IRM team and people from IT and the business lines to talk about risk in a consistent manner, this facilitates decision making.
- It doesn’t use ordinal scales, such as one-to-10 rankings, and therefore isn’t subject to the limitations that go with ordinal scales.
- FAIR uses dollar estimates for losses and probability values for threats and vulnerabilities. Combined with a range of values and levels of confidence, it allows for true mathematical modeling of loss exposures.
- FAIR has more detailed definitions of threats, vulnerabilities and risks. FAIR has a taxonomy that breaks down the terms on a more granular level.
FAIR weaknesses:
- FAIR can be difficult to use and it’s not as well documented as OCTAVE.
- Lack of access to current information about the methodology and examples of how the methodology is applied.
NIST RMF
NIST RMF (National Institute of Standards and Technology’s Risk Management Framework) outlines a series of activities related to managing organizational risk. These can be applied to both new and legacy information systems, according to the NIST.
Tata Communications uses the NIST framework in several lines of business and in its IT department to assess and manage risk. The model helps the company determine when something exceeds a certain threshold of risk.
RMF Strengths:
- It was developed by the NIST, which is charged by Congress with ensuring that security standards and tools are researched, proven and developed to provide a high level of information security infrastructure.
- The framework allows the company to easily determine which systems or applications present the highest risk if security breaches occur.
- Because government agencies and the businesses that support them need their IT security standards and tools to be both cost-effective and highly adaptable, the framework is constantly being reviewed and updated as new technology is developed and new laws are passed.
- Independent companies have developed tools that support the NIST standards. Knowing that the basis for applications is stable, software development companies are more willing to develop application tools to support the framework.
RMF weaknesses:
- You have to make sure that the people who are doing the risk assessment have the discipline to put reasonable data into the model so you get reasonable data out.
- It’s a document; it’s not an automated tool.
- Its nomenclature, the use of acronyms throughout the framework and supporting tools is pervasive.
TARA
TARA, the Threat Agent Risk Assessment, is a relatively new risk-assessment framework (it was created by Intel January 2010) that helps companies manage risk by distilling the immense number of possible information security attacks into a digest of only those exposures that are most likely to occur. The thinking is that it would be prohibitively expensive and impractical to defend every possible vulnerability.
By using a predictive framework to prioritize areas of concern, organizations can proactively target the most critical exposures and apply resources efficiently to achieve maximum results.
The TARA methodology identifies which threats pose the greatest risk, what they want to accomplish and the likely methods they will use. The methods are cross-referenced with existing vulnerabilities and controls to determine which areas are most exposed. The security strategy then focuses on these areas to minimize efforts while maximizing effect.
TARA strengths:
- It is well suited for manufacturers, critical infrastructure providers and others who want to evaluate risks from named actors like industrial spies, nation-states and rogue administrators.
- There are parts of TARA—the threat agent library and the methods and objectives library—that can be easily used within other risk-assessment methodologies, especially if there is a need to standardize on common threat agents and corresponding methods.
- It appears to be a good tool for identifying, predicting and prioritizing threats against your infrastructure. You can use it to create common libraries that can be shared among different groups.
TARA weaknesses:
- The framework focuses on threats rather than assets. By focusing on threats rather than asset value, an assessor may miss the mark in identifying true infrastructure risks. It also seems to make the assumption that the only way to view risk is from the perspective of ‘What’s the worst thing that could happen?’
- TARA only addresses the likelihood of threat events, but doesn’t take into account the risk’s impact.
- It’s still new and untested.
- TARA also appears to be yet another qualitative methodology rather than one that can be used for quantitative analysis.
References:
