This is cache of http://riskmanagementinsight.com/riskanalysis/?p=366. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
Risk Management and Analysis Standards Update
2008-06-17 16:51:27 by Alex in RiskAnalys.is
 

We’re kind of having a big day today.  Three things are going on that I wanted to update you on.  A webinar reminder/update, a standards announcement concerning FAIR and Risk Management, and RMI has a new website!

CISCO WEBINAR UPDATE
First, Jack’s Webinar with Cisco is Thursday.  If you were lucky enough to get a slot, be sure to catch it.  If you didn’t get a slot but would like to still go, let me know (info –at– riskmanagementinsight–dot–com - subject Webinar).

RISK MANAGEMENT STANDARDS AND FAIR

Second, The Open Group has a Press Release out this morning:

“The Open Group Security Forum Initiates Development of Risk Management and Analysis Taxonomy”

You might know The Open Group from their efforts with UNIX or SOA or helping the Jericho Forum.  You’ll recall that a while back I had mentioned that RMI was working withThe Open Group, and today’s announcement is a culmination of about a year and a half worth of effort there.   Today The Open Group formally announces our (we’re members) intent to put a stake in the ground concerning risk and risk management.

Our goal is common language and common models to create meaning.  This has the capacity to change everything - the way we audit, the way we talk to other lines of business, the way we gather metrics… a Herculean effort, to be sure, but I think that The Open Group is one organization that can effect change because it is:

  • Open & Participatory - Unlike many organizations developing security standards, anyone can join and anyone can contribute.  Because there are real people (doing real risk work) as members of the forum, you won’t sit back at the end of some work day working on risk and think, “Who are these people, and why are they making my life so miserable with all these unnecessary hoops to jump through?”
  • Authoritative and Structured - That is, change is welcome but carefully instituted.

These are important qualities to me.  When you look around at some of the risk management efforts out there, too often you’ll find that the people instituting models and standards are removed from the actual practitioner, and/or the institution creating these standards are autocratic.  The change our profession needs cannot happen from one vendor or from one  bureaucracy that takes little account for the wishes and opinions of it’s constituency.

YET ANOTHER RISK MANAGEMENT EFFORT?

Some folks may be thinking “do we really need another risk management effort?” And really, I sympathize with the thought.  There’s ISO risk management stuff, there’s OCTAVE and NIST 800-30 and AS/NZ 340 and CRAM and FRAP and others…

And this is where I think FAIR and The Open Group have a good fit.  FAIR as a model for analysis, does not compete but rather compliments OCTAVE and NIST 800-30 and ISO 2700x (That reminds me, Rybolov, I’ve got to respond to your 800-30 article). In fact, one of the goals for the work with The Open Group is supporting documentation (call them white papers or guidance letters or whatever) that talks about how to use FAIR and the work of The Open Group Forum with ISO 27001 or as probability determination within OCTAVE, or in context with COSO efforts, etc…

SO WHAT DOES THIS MEAN TO YOU?

Well, it means a couple of things.  First, you have somewhere to go where people are vetting the models.  There is a forum of users and people with the same risk management issues and challenges as you have, but that are committed to working together to make things better.  A forum in which you can contribute and work to vet models against experience.  A forum that is a “vendor- and technology-neutral consortium” with experience building standards that work to interoperate across organizational and industrial boundaries.

Second, it means that you have a nice reference point for people who want it.  Defending the use of FAIR over some other analysis method got a little easier thanks to the increased credibility of The Open Group.

Third, new and exciting things are already happening at The Open Group in the Security Forum surrounding new standards and new ways of doing business.  Even if Risk Analysis isn’t your primary passion, let me encourage you to get involved with The Open Group’s Security Forum. Mike Jerbic and Ian Dobson there both have a passion to help codify what works and what helps security and risk management departments, regardless of “silo” or discipline.

WHAT DOES THIS MEAN TO RMI?
If you’re an employee, or client, or just a well-wisher, today’s announcement is just one culminating factor of the past year of changes RMI has undergone.  The announcement means that we’re now no longer the sole custodians of FAIR, but simply part of a larger effort to drive a better understanding of risk in our industry.  We (RMI) have a responsibility support and contribute to the effort, but the journey is no longer ours alone.  We’ve got friends.

New Website

I think our new website reflects who we are and what we do better now.  It takes into account not just what we can do because of FAIR, but also what we’ve been able to synthesize because of it (and the use of our other models and frameworks to create a whole picture of what is Risk Management).  The primary focus of our message no longer needs be that we’ve got something new and cool that makes you better - we’re freer to talk about our experience and abilities - very much reflecting the maturity we’re experiencing as a company.

 
Tags: risk management, risk management departments, risk management effort, standards, risk, risk management efforts, risk management issues, security standards, risk management standards
 
 
 
 
 
TOP SEARCH
Expand / MinimizeClose Widget
  •  
RECENT SEARCH
Expand / Minimize
  •  
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia