Risk Frameworks and the CISSP Exam

By Lawrence C. Miller, Peter H. Gregory

If you ask an experienced security and risk professional about risk frameworks, chances are they will think you are talking about either risk assessment frameworks or risk management frameworks. You need to understand the difference for the CISSP Exam. These frameworks are distinct but deal with the same general subject matter: identification of risk that can be treated in some way.

Risk assessment frameworks

Risk assessment frameworks are methodologies used to identify and assess risk in an organization. These methodologies are, for the most part, mature and well established.

Some common risk assessment methods include

  • Factor Analysis of Information Risk (FAIR). A proprietary framework for understanding, analyzing, and measuring information risk.
  • OpenFAIR. An open-source version of FAIR.
  • Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE). Developed by the CERT Coordination Center.
  • Threat Agent Risk Assessment (TARA). Developed by Intel, this is a newer kid on the block.

Risk management frameworks

A risk framework is a set of linked processes and records that work together to identify and manage risk in an organization. The activities in a typical risk management framework are

  • Create strategies and policies.
  • Establish risk tolerance.
  • Categorize systems and information.
  • Select a baseline set of security controls.
  • Implement security controls.
  • Assess security controls for effectiveness.
  • Authorize system operation.
  • Monitor security controls.

There is no need to build a risk management framework from scratch. Instead, there are several excellent frameworks available that can be adapted for any size and type of organization. These frameworks include

  • NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems.
  • ISO/IEC 27005 (Information Security Risk Management).
  • Risk Management Framework (RMF) from the National Institute of Standards and Technology (NIST).
  • COBIT 5 from ISACA.
  • Enterprise Risk Management — Integrated Framework from COSO (Committee of Sponsoring Organizations of the Treadway Commission).