Leading the development of open methodologies for managing risk
Managing risk is an essential component of an information security program. Risk management is fundamental to effectively securing information, IT assets, and critical business processes. Risk management is also a challenge to get right. With numerous risk management frameworks and standards available, it can be difficult for practitioners to know where to start, and what methodologies to employ.
Recognizing the importance of risk management, The Open Group has done, and continues to do, significant work in this area. Besides the standards and guides noted below, The Open Group has also introduced a certification program for risk analysts. This program is called the Open Group FAIR Certification Program for People, and full details on the certification program may be found here.
Publications in the area of risk management include:
- Risk Taxonomy Standard (O-RT). This document provides a standard definition and taxonomy for information security risk, as well as information regarding how to use the taxonomy. The intended audience for this document includes anyone who needs to understand and/or analyze a risk condition. This includes, but is not limited to, information security and risk management professionals, auditors and regulators, technology professionals, and management. This standard is based upon FAIR, Factor Analysis of Information Risk.
- Risk Analysis Standard (O-RA). A companion to the Risk Taxonomy, this document describes the process aspects of risk analysis. This standard is also based upon practices from FAIR.
Note that commercial use of either of the two standards above requires a commercial license, which may be found here.
- Requirements for Risk Assessment Methodologies. This document identifies and describes the key characteristics that make up any effective risk assessment methodology, thus providing a common set of criteria for evaluating any given risk assessment methodology against a clearly defined common set of essential requirements.
- FAIR – ISO/IEC 27005 Cookbook. This document describes in detail how to apply the Risk Taxonomy Standard and the FAIR (Factor Analysis for Information Risk) methodology to the ISO/IEC 27005 standard. This cookbook will be of interest to anyone seeking to use FAIR with other risk management frameworks (including COSO, ITIL, OCTAVE, COBIT, and others).
Ongoing work projects in the area of risk management include:
- Dependency Modeling - Managing Risk in Complex Interdependent Systems. This project seeks to create a standard for evaluating trust levels to establish a chain of trust between collaborating parties, allowing secure and trusted exchange of digital Information and transactions based on Risk Status. This project is part-funded by the UK Technology Strategy Board [TSB].