Risk management (security) has many flavors of processes and standards including (but not limited too): ISO 31000, NIST Risk Management Framework 800-37, DIARMF, ISACA RISK IT Framework, ITSG-33, and PMI Risk Management (just to name a few of the most prominent English variants).
ISO 31000:2009 Risk Management Wiki
The International Organization for Standardization (ISO) has developed a standard for Risk management . Its called ISO 31000:2009, Risk management – Principles and guidelines. ISO 31000:2009 has created a system of risk management that can be applied universally to most organizations around the world. This is significant as it allows two organization from different countries to map to different risk management frameworks with 31000 as a reference.
NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems
Is the defacto Risk Management Framework of the US Federal government. Developed by National Institute of Standards and Technology (NIST) in collaboration with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS). It is the center piece for all federal organization security processes. The NIST also works on mapping the 800-37 to the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 27001, Information Security Management System (ISMS) and 31000.
Defense Information Assurance Risk Management Framework (DIARMF 8510)
DIARMF is based on a combination of CNSSI 1253 & NIST SP 800-37. It Applies to ALL US Defense departments. This is a big deal because in the past it was based on differing interpretations of DoD IA Certification & Accreditation Program. Since each agency and department had their own process, it was expensive, time consuming and incredibly inefficient to get critical data from one organization to another. DIARMF relies on heavy use of continuous monitoring tools pushed by FISMA 2012.
ISACA Risk IT Framework provides complete end to end framework for managing information technology security threats exploiting asset vulnerabilities.
ITSG – IT Security Risk Management: Life cycle Approach
Issued by the Chief, Communications Security Establishment Canada (CSEC) ITSG – 33, is the Government of Canada’s response to emerging cyber threats within the available resources of the country. By applying security from the very begining of the sytems lifecycle they deal with risk management in a more intelligent and fiscally responsible way. ITSG-33 covers roles, responsibilities and activities of the Canadian risk management.
PMI Risk Management professional is actually a certification for providing risk management.
Leave a Reply
You must be logged in to post a comment.