An information security strategy is incomplete without risk assessment (RA). Selection of the right IT risk assessment methodology is central to any information gathering exercise that aims to formulate a proactive security posture. Since effective risk management lies in identification of risks relative to business goals and key assets, choosing the right risk assessment methodology is a prerequisite.
IT risk assessment frameworks reduce risk to a measurable quantity, making it possible for systematic addressal of security gaps. Risk assessment must not be confused with an audit. In risk assessment, the one-size approach never fits-all – such an approach is destined to stifle productivity and business efficiency. This guide looks at some of the popular IT risk assessment methodologies, highlighting the respective work-flows, relevance, and various points of differentiation between them.
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to searchSecurity.in you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of searchSecurity.in is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
The IT risk assessment methodology should provide focused information on an enterprise’s current security posture. It should be able to highlight deficiencies, and create a correction strategy. The focus of an IT risk assessment methodology can be on specific aspects of the IT setup or an enterprise-wide evaluation. Here is a brief overview of what constitutes an effective risk assessment process – from technical procedures to policy, and everything in between.
The latest IT risk assessment methodology from the ISO stable is the ISO 27005 standard. First published in June 2008, it's based on concepts specified in ISO 27001. It is a unique IT Risk assessment methodology in that it provides organizations plenty of leg-room to define their own risk parameters. This is an approach markedly different from other risk assessment standards on the market like OCTAVE and NIST SP 800-30. Discover how you can use ISO 27005 to your advantage.
The OCTAVE method for IT risk assessment follows a self-directed approach to risk assessment, relative to business objectives. The idea here is to leverage an organization’s core business expertise towards identification of risks unique to its business paradigms. As an IT risk assessment methodology, OCTAVE is context-driven and self-directed, based on integrating experience gleaned overtime by an organization to its unique business needs. This tip is a comprehensive overview of the standard’s relevance and workflow.
NIST SP 800-30 is an IT risk assessment methodology that has been around for a long time. First published in July 2002, it focuses solely on securing IT infrastructure. NIST SP 800-30 approaches risk assessment from a purely technical perspective, and has been influential in the formulation of most prominent IT risk assessment methodologies. This part of our guide addresses the workflow and logic behind NIST-SP 800-30, and how it differs from other risk assessment standards.
Small merchants lack hefty IT security investments making them highly susceptible to frauds and security breaches that involve sensitive customer data. To help such entities, an IT risk assessment framework under PCI DSS is available in the form of self assessment questionnaires (SAQs). This can be a feasible and cost effective alternative to gunning for full compliance under PCI DSS 2.0. Join us, as we outline the IT risk assessment checklist for small merchants who opt for SAQ compliance.
This was first published in August 2011