As many of you know this is one of the main projects in the ISM community and there are some different perspectives of the best method to perform and Risk Assessment. I am really hoping to get some good feedback across industries on this question.
Where does the Risk Assessment methodology come from?
I know many asset risk assessments are based on the NIST and OCTAVE methods, which is usually the work I perform. Many of the process based risk assessments I have seen are done by auditors (the Big 5 type companies). When reviewing many of these I notice they all seem different, thus I’m not sure the method’s they follow (some use COBIT). Most organizations I have consulted to use the Audit department to perform the process risk assessment while the asset risk assessment is usually done in a separate group or by information security.
Asset Risk Assessment: Brief overview
The asset based risk assessment that I perform usually focuses on asset risk in terms of the people, processes, and technology. With that said I do not map every process, like a process risk assessment. The end result of the assessment is a list of asset groups (prioritized by severity), threats (assigned a value based on likelihood) mapped to each asset group, and vulnerabilities (ranked by impact and how easy it is to compromise) associated with each asset group. All of these (assets, threats, vulnerabilities) have scores associated with them that when added up produce a risk score. Then risk prioritized recommendations are created to remediate the vulnerabilities.
We need both!
Is the asset assessment better than a process assessment? I don’t think so, but most organizations that I have consulted (on risk assessment) have problems with a process based risk assessment when it is done alone. However, when combined together both methods usually cover most areas of risk. Again, I don’t think either one is better than the other. I believe we need a mechanism in place to assess both the asset and its associated processes.
What is your view?