3 Risk Assessment Methodologies
Transcription
We’re going to talk about the three main different risk assessment methodologies. The first is the ISO 27005 framework. This framework is useful for all different types of organizations and is widely accepted. It is a quantitative risk assessment framework that involves breaking down risk analysis into risk identification and risk estimation. The NIST 800-30 is the most useful for technology related risk assessments. This framework incorporates nine primary steps that result in risk mitigation. This framework is used specifically to translate cyber risks in a way that can be understood by the board or CEO. Finally, the OCTAVE framework is targeted at organizational risk, focuses on strategic issues, and is flexible enough to be adapted to most organizations. It is most useful for process specific risk assessments that focus on people’s knowledge. The primary differences in these three different methodologies are that the NIST is primarily a management system that allows for third party execution, and it allows tactical organizational issues. The OCTAVE method is self-directed and only allows for organizational resources to participate in the risk assessment. An ISO covers people, processes, and technology and is generally geared towards higher level management practices.
We’re going to talk about the three main different risk assessment methodologies. The first is the ISO 27005 framework. This framework is useful for all different types of organizations and is widely accepted. It is a quantitative risk assessment framework that involves breaking down risk analysis into risk identification and risk estimation. The NIST 800-30 is the most useful for technology related risk assessments. This framework incorporates nine primary steps that result in risk mitigation. This framework is used specifically to translate cyber risks in a way that can be understood by the board or CEO. Finally, the OCTAVE framework is targeted at organizational risk, focuses on strategic issues, and is flexible enough to be adapted to most organizations. It is most useful for process specific risk assessments that focus on people’s knowledge. The primary differences in these three different methodologies are that the NIST is primarily a management system that allows for third party execution, and it allows tactical organizational issues. The OCTAVE method is self-directed and only allows for organizational resources to participate in the risk assessment. An ISO covers people, processes, and technology and is generally geared towards higher level management practices.