Comments on: Risk Assessment: A Starting Point http://blog.securitymonks.com/2008/09/22/risk-assessment-a-starting-point/ Information about developments at the Monastery Sun, 29 Aug 2010 14:26:49 -0700 http://wordpress.org/?v=2.9.2 hourly 1 By: System Advancements at the Monastery » Blog Archive » COBIT 5 equals COBIT 4.1, Risk IT, and Val IT 2.0 http://blog.securitymonks.com/2008/09/22/risk-assessment-a-starting-point/comment-page-1/#comment-28728 System Advancements at the Monastery » Blog Archive » COBIT 5 equals COBIT 4.1, Risk IT, and Val IT 2.0 Tue, 23 Mar 2010 20:52:08 +0000 http://blog.securitymonks.com/?p=439#comment-28728 [...] O’Connor over on Scribd, has provided some very nice graphics representation titled “How to Assess and Mitigate Risk” (a.k.a. “Six Risk Management Myths”): Six Risk Management [...] [...] O’Connor over on Scribd, has provided some very nice graphics representation titled “How to Assess and Mitigate Risk” (a.k.a. “Six Risk Management Myths”): Six Risk Management [...]

]]> By: Alex http://blog.securitymonks.com/2008/09/22/risk-assessment-a-starting-point/comment-page-1/#comment-11504 Alex Mon, 22 Sep 2008 11:44:15 +0000 http://blog.securitymonks.com/?p=439#comment-11504 Articulate and well thought out. One thing I might add, if I may, is that FAIR is actually more concerned with the creation of accurate probabilities than how you go about _doing_ an enterprise risk assessment (because there are plenty of cookbooks for that). So FAIR isn't actually incongruous with use in OCTAVE or 800-30 or any other assessment methodology with a "scan/prioritize/fix/repeat/" Deming cycle at it's core. Another resource you or your readers may be interested in is ENISA's document that compares 18 different Risk Assessment Methodologies. They are a little obtuse on their definitions of risk and how the 18 ass.meth.'s address their specific world view, but it is an interesting comparison document. I got a big kick out of the monster diagram that was their review decision tree. Articulate and well thought out. One thing I might add, if I may, is that FAIR is actually more concerned with the creation of accurate probabilities than how you go about _doing_ an enterprise risk assessment (because there are plenty of cookbooks for that). So FAIR isn’t actually incongruous with use in OCTAVE or 800-30 or any other assessment methodology with a “scan/prioritize/fix/repeat/” Deming cycle at it’s core.

Another resource you or your readers may be interested in is ENISA’s document that compares 18 different Risk Assessment Methodologies. They are a little obtuse on their definitions of risk and how the 18 ass.meth.’s address their specific world view, but it is an interesting comparison document. I got a big kick out of the monster diagram that was their review decision tree.

]]>