risk assessment framework (RAF)
A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.
Download this free guide
What should be in a CIO’s IT strategic plan?
This complimentary document comprehensively details the elements of a strategic IT plan that are common across the board – from identifying technology gaps and risks to allocating IT resources and capabilities. The SearchCIO.com team has compiled its most effective, most objective, most valued feedback into this single document that’s guaranteed to help you better select, manage, and track IT projects for superior service delivery.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
A good RAF organizes and presents information in a way that both technical and non-technical personnel can understand. It has three important components: a shared vocabulary, consistent assessment methods and a reporting system.
The common view an RAF provides helps an organization see which of its systems are at low risk for abuse or attack and which are at high risk. The data an RAF provides is useful for addressing potential threats pro-actively, planning budgets and creating a culture in which the value of data is understood and appreciated.
There are several risk assessment frameworks that are accepted as industry standards including:
- Risk Management Guide for Information Technology Systems (NIST guide) from the National Institute of Standards.
- Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) from the Computer Emergency Readiness Team.
- Control Objectives for Information and related Technology (COBIT) from the Information Systems Audit and Control Association.
To create a risk management framework, an organization can use or modify the NIST guide, OCTAVE or COBIT or create a framework inhouse that fits the organization’s business requirements. However the framework is built, it should:
1. Inventory and categorize all IT assets.
Assets include hardware, software, data, processes and interfaces to external systems.
2. Identify threats.
Natural disasters or power outages should be considered in addition to threats such as malicious access to systems or malware attacks.
3. Identify corresponding vulnerabilities.
Data about vulnerabilities can be obtained from security testing and system scans. Anecdotal information about known software and/or vendor issues should also be considered.
4. Prioritize potential risks.
Prioritization has three sub-phases: evaluating existing security controls, determining the likelihood and impact of a breach based on those controls, and assigning risk levels.
5. Document risks and determine action.
This is an on-going process, with a pre-determined schedule for issuing reports. The report should document the risk level for all IT assests, define what level of risk an organization is willing to tolerate and accept and identify procedures at each risk level for implementing and maintaining security controls.
This was last updated in October 2010
Continue Reading About risk assessment framework (RAF)
ICT (information and communications technology, or technologies) ICT, or information and communications technology (or technologies), is the infrastructure and components that enable modern. See complete definition Total Quality Management (TQM) Total Quality Management is a management framework based on the belief that an organization can build long-term success by having. See complete definition universal basic income (UBI) Universal basic income (UBI) is a model for providing all citizens of a country or other geographic area with a given sum of. See complete definition