5 IT risk assessment frameworks compared

From a cybersecurity standpoint, organizations are operating in a high-risk world. The ability to assess and manage risk has perhaps never been more important. “Having a risk management framework is essential, because risk can never be totally eliminated; it can only be effectively managed,” says Arvind Raman, CISO at telecommunications company Mitel Networks. “When it isn’t, organizations will likely find themselves the target of a data breach or ransomware attack, or be vulnerable to any number of other security issues.”

The most critical consideration in selecting a framework is ensuring that it’s “fit for purpose” and best suited for the intended outcomes, says Andrew Retrum, managing director in the cybersecurity and privacy practice at consulting firm Protiviti. “It’s also beneficial to select frameworks that are well known and understood already within the organization,” Retrum says. “This enables more consistent and efficient use of the framework and allows individuals across the organization to speak a consistent language.”

There’s no shortage of risk-assessment frameworks organizations can leverage to help guide security and risk executives. Here’s a look at some of the most prominent of these frameworks, each designed to address specific risk areas.

NIST Risk Management Framework

The Risk Management Framework (RMF) from the National Institute of Standards and Technology (NIST) provides a comprehensive, repeatable, and measurable seven-step process organizations can use to manage information security and privacy risk. It links to a suite of NIST standards and guidelines to support the implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).  

RMF provides a process that integrates security, privacy, and supply chain risk management activities into the system development lifecycle, according to NIST. It can be applied to new and legacy systems, any type of system or technology including internet of things (IoT) and control systems, and within any type of organization regardless of size or sector. The seven RMF steps are:

1. Prepare, including essential activities to prepare the organization to manage security and privacy risks.
2. Categorize, which involves sorting systems and information that’s processed, stored, and transmitted based on an impact analysis.
3. Select, which is selecting the set of NIST SP 800-53 controls to protect systems based on risk assessment;
4. Implement, deploying the controls and documenting how they are deployed.
5. Assess, to determine if the controls are in place, operating as intended, and producing the desired results.
6. Authorize, where a senior executive makes a risk-based decision to authorize the system to operate.
7. Monitor, which involves continuously monitoring control implementation and risks to systems.

“NIST RMF can be tailored to organizational needs,” Raman says. It is frequently assessed and updated, and many tools support the standards developed. It’s vital that IT professionals “understand when deploying NIST RMF it is not an automated tool, but a documented framework that requires strict discipline to model risk properly.”

NIST has produced several risk-related publications that are easy to understand and applicable to most organizations, says Mark Thomas, president of Escoute Consulting and a speaker for the Information Systems Audit and Control Association (ISACA). “These references provide a process that integrates security, privacy, and cyber supply chain risk management activities that assists in control selection and policy development,” he says. “Sometimes thought of as guides for government entities, NIST frameworks are powerful reference for government, private, and public enterprises.”

OCTAVE

The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), developed by the Computer Emergency Readiness Team (CERT) at Carnegie Mellon University, is a framework for identifying and managing information security risks. It defines a comprehensive evaluation method that allows organizations to identify the information assets that are important to their goals, the threats to those assets, and the vulnerabilities that might expose those assets to the threats.

By putting together the information assets, threats, and vulnerabilities, organizations can begin to understand what information is at risk. With this understanding, they can design and deploy strategies to reduce the overall risk exposure of information assets.

Two versions of OCTAVE are available. One is OCTAVE-S, a simplified methodology designed for smaller organizations that have flat hierarchical structures. The other is OCTAVE Allegro, which is a more comprehensive framework suitable for large organizations or those that have complex structures. 

“OCTAVE is a well-designed risk assessment framework because it looks at security from a physical, technical, and human resource perspective,” Raman says. “It identifies assets that are mission-critical for any organization and uncovers threats and vulnerabilities. However, it can be very complex to deploy and it solely quantifies from a qualitative methodology.”

The flexibility of the methodology “allows teams from operations and IT to work together to address the security needs of the organization,” Thomas says.

COBIT

Control Objectives for Information and related Technology (COBIT), from ISACA, is a framework for IT management and governance. It is designed to be business focused and defines a set of generic processes for the management of IT. Each process is defined together with process inputs and outputs, key activities, objectives, performance measures and an elementary maturity model.

The latest version, COBIT 2019, offers more implementation resources, practical guidance and insights, as well as comprehensive training opportunities, according to ISACA. It says implementation is now more flexible, enabling organizations to customize their governance via the framework.

COBIT is a “high-level framework aligned to IT management processes and policy execution,” says Ed Cabrera, chief cybersecurity officer at security software provider Trend Micro and former CISO of the United States Secret Service. “The challenge is that COBIT is costly and requires high knowledge and skill to implement.”

The framework “is the only model that addresses the governance and management of enterprise information and technology, which includes an emphasis [on] security and risk,” Thomas says. “Although the primary intent of COBIT is not specifically in risk, it integrates multiple risk practices throughout the framework and refers to multiple globally accepted risk frameworks.”

TARA

Threat Assessment and Remediation Analysis (TARA) is an engineering methodology used to identify and assess cybersecurity vulnerabilities and deploy countermeasures to mitigate them, according to MITRE, a not-for-profit organization that works on research and development in technology domains including cybersecurity.

The framework is part of a MITRE’s portfolio of systems security engineering (SSE) practices. “The TARA assessment approach can be described as conjoined trade studies, where the first trade identifies and ranks attack vectors based on assessed risk, and the second identifies and selects countermeasures based on assessed utility and cost,” the organization claims.

Unique aspects of the methodology include use of catalog-stored mitigation mappings that preselect possible countermeasures for a given range of attack vectors, and the use of countermeasure strategies based on the level of risk tolerance.

“This is a practical method to determine critical exposures while considering mitigations, and can augment formal risk methodologies” to include important information about attackers that can result in an improved risk profile, Thomas says.

FAIR

Factor Analysis of Information Risk (FAIR) is a taxonomy of the factors that contribute to risk and how they affect each other. Developed by Jack Jones, former CISO of Nationwide Mutual Insurance, the framework is mainly concerned with establishing accurate probabilities for the frequency and magnitude of data loss events.

FAIR is not a methodology for performing an enterprise or individual risk assessment. But it provides a way for organizations to understand, analyze, and measure information risk. The framework’s components include a taxonomy for information risk, standardized nomenclature for information-risk terms, a method for establishing data-collection criteria, measurement scales for risk factors, a computational engine for calculating risk, and a model for analyzing complex risk scenarios.

FAIR “is one of the only methodologies that provides a solid quantitative model for information security and operational risk,” Thomas says. “This pragmatic approach to risks provides a solid foundation to assessing risks in any enterprise.” However, while FAIR provides a comprehensive definition of threat, vulnerability, and risk, “it’s not well documented, making it difficult to implement,” he says.

The model differs from other risk frameworks “in that the focus is on quantifying risks into actual dollars, as opposed to the traditional ‘high, medium, low’ scoring of others,” Retrum says. “This is gaining traction with senior leaders and board members, enabling a more thoughtful business discussion by better quantifying risks in a meaningful way.”

Editor’s note: This article, originally published May 3, 2010, has been updated with current information.