Tuesday, April 11, 2017

Resources for presentation on IT Risk

As mentioned previously, I gave a presentation on IT Risk at the 2017 Security BSides Orlando Conference.  The title was "Risk: It's more then just a game from Parker Brothers".  Was trying to be a little cute and have a catchy title.

The talk was about IT Risk, and I was aiming it at infosec professionals.  My idea is that risk is important to understand, as we do security to reduce risk to the organizations we work for.  But I think too many infosec folks just don't have a good understanding of this.

Now, the talk was posted.  Not sure how well it comes out.  I'll update with a link.

But what I wanted to give here was information on the sources and materials I used for the talk.

I mainly used the risk management framework from ISO/IEC 27005, but also mentioned a few other frameworks as well.

I actually found the article on Wikipedia on IT Risk Management to be pretty good.  Check it out.

I advised and will repeat it that there are all kinds of risk.  We deal with "IT Risk".  So in your own searching, research, focus on "IT risk" and "Information Security Risk".

Other sources:


Against the Gods: The Story of Risk is a good intro to risk (all risk) for the general reader.  Recommended.

Risk: A Very Short Introduction is part of Oxford's series of "very short intros".  Again, this is about all risk, not just IT.

Syngress has a trio of books (from different authors) that are worth looking into:

Security Risk Management
Metrics & Methods for Security Risk Management
Information Security Risk Assessment Toolkit

The last work looked at some of the same frameworks I did, and gives some good info on them that I couldn't cover, such as their strengths and weaknesses.

Now, I touched on several frameworks.  There are more then I could get into.  I mentioned, in no particular order:

OCTAVE.  From SEI.  Used mainly in the government realm.  There has been 3 versions over the years.  Current is OCTAVE Allegro.  You can get a hardcover book on OCTAVE, but it's the original version.  If you check Amazon, you can get it pretty cheap.  But the Guidebook to Octave Allegro is free from SEI's website HERE.

FAIR.  This is from the FAIR Institute and is a quantitative risk assessment methodology you can use within any risk management framework.  Not up on it.  Check out the Institute, get the book.

NIST.  Ok.  NIST is the National Institute of Standards and Technology.  Part of what they do is a series of FREE special publications (the SP800 series) in infosec.  Several are done for FISMA, which is a infosec management framework mandated for federal agencies (compared to the NIST CSF and ISO/IEC 27001).

Within that series are a couple that people should want to look at.  SP800-30R1, which is about risk assessments, and SP800-39, which is managing infosec risk.  Now, SP800-37R1 covers the RMF, which is the Risk Management Framework, but I see the RMF as more comparable to the Plan-Do-Check-Act methodology recommended for ISO/IEC 27001 then something I'd compare to ISO 31000.  Am I wrong?  Let me know.

ISO.  ISO is the International Organization for Standardization.  It puts out a lot of standards that various industries follow.  For infosec, there is the 27000 series, which sets down how to implement a "information security management system".  Mainly people speak of 27001 and 27002 for this.  There is also ISO/IEC 27005, which is the risk management framework part of the series, based on ISO 31000, which is the series on risk management.  Sadly, you'll have to pay for all the ISO works and are not cheap, so be advised.  There are a couple of sources, such as ANSI and the ITGovernance Institute.

As I noted, there are others.

COBIT, which is a IT Governance framework from ISACA, includes IT risk in it.  ISACA had a work called Risk IT that was merged into COBIT 5, the current version.  AFAIK, Risk IT as a separate work is only available to ISACA members as a PDF.

You also see there is a larger work of "enterprise risk management", which is more then IT risk.  One such is the Enterprise Risk Management framework from COSO.  They are actually in the process of updating the ERM, be advised.


There is training out there for risk and certifications.

In the area of certifications, the only general one I can recommend is CRISC (Certified in Risk and IS Controls) from ISACA.  I have that one.  ISACA has resources for this, such as a Review Manual, but would only recommend that for a post cert reference, not as a learning aid.  There is training for this cert, but the only I'd recommend is the on-line course done by Jay Ranade thru the NY Metro chapter.  I took that and got a lot out of it.

There is training and certs for specific frameworks.  I am aware of this being available for FAIR, OCTAVE (training only), ISO 27005 (I think I've come across that), and RMF/FISMA.

If you have any experience with these or others, please post comments.

No comments:

Post a Comment