Forum Initiates Risk Management, Analysis Taxonomy Standard

Jun 24, 2008 2:48 PM

The Open Group, a vendor- and technology-neutral consortium focused on open standards and global interoperability within and between enterprises, has announced that the organization’s Security Forum has initiated work on a risk management and analysis taxonomy standard. This is the first phase of a comprehensive initiative aimed at eliminating widespread industry confusion about risk management among risk managers, security and IT professionals as well as business managers. Risk management vendors and their customers interested in getting involved can learn more at www.opengroup.org/security.

The Security Forum’s focus on a risk management and analysis taxonomy is in direct response to the idea that risk analysis has historically been more art than science. Prior risk taxonomies used terms that were ill-defined, resulting in many inconsistent definitions and taxonomies within the information security landscape. None of these provided a clear and logical representation of the fundamental problem that the risk management profession must control: the frequency and magnitude of loss.

“The Open Group Security Forum has chosen to start this standards work from its core – understanding what ‘risk’ truly is,” says Mike Jerbic, chairman, The Open Group Security Forum. “We believe that no significant progress can be made until we have a rigorous taxonomy for the terms and definitions we use in risk management.

The Open Group Security Forum’s risk taxonomy will promote a consistent, tightly defined use of risk management terminology, in order to ensure a common understanding between different analysts and analysis methods. Misunderstandings of language and meaning often exist between senior management, personnel responsible for enterprise risk management and those responsible for IT risk management. Seemingly simple terms such as “threat,” “vulnerability” and “risk” are used with different meanings by these various stakeholders. A commonly accepted taxonomy of terms and definitions is essential to enable all of the interested parties - including risk management practitioners, business managers and IT professionals – to understand each other and ultimately achieve their desired risk management goals.

Risk Management Insight, a member of The Open Group’s Security Forum, seeded the initiative by contributing its FAIR (Factor Analysis for Information Risk) risk management taxonomy and methodology as the foundation for further development. “We felt that The Open Group’s Security Forum was a perfect organization to lead the charge in developing a standard common language, or taxonomy, for risk management and analysis,” says Alex Hutton, CEO of Risk Management Insight. “With the increasingly complex security requirements, organizations cannot afford to not be on the same page when it comes to assessing these risks.”

“Risk management is an area where standards work is sorely needed; we see on a daily basis the perils associated with not having all parties ‘speak’ the same language,” says Jim Hietala, vice president of Security, The Open Group. “We look forward to ongoing collaboration among our current Security Forum Members and encourage participation by other industry experts to develop a standard taxonomy.”

As there are many risk assessment methodologies available - all claiming to produce better results than the others - The Open Group Security Forum’s goal is to enable an objective evaluation of how any one risk assessment methodology achieves a comprehensive risk assessment and credible results. After the initial taxonomy has been established, the Security Forum will develop an industry standard aimed at defining the essential components, methodology and characteristics, that an effective Risk Assessment Methodology must address, and globally promote these as common criteria. The scope of this next phase is likely to include mapping these common criteria to the requirements established in other relevant industry-specific standards such as BITS Shared Assessments standards and COBIT (Control Objectives for Information and related Technology).

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue