Actions

Difference between revisions of "Risk Assessment Framework (RAF)"
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
A '''Risk Assessment Framework (RAF)''' is an approach for prioritizing and sharing information about the security risks posed to an [[Information Technology (IT)|information technology]] organization. The information should be presented in a way that both non-technical and technical personnel in the group can understand. The view on the RAF provides assistance to [[Organization|organizations]] in identifying and locating both low and high-[[Risk|risk]] areas in the system that may be susceptible to abuse or attack.<ref>Defining Risk Assessment Framework (RAF) [https://www.techopedia.com/definition/14010/risk-assessment-framework-raf Techopedia]</ref>
+
== What is Risk Assessment Framework (RAF)? ==
 +
A '''Risk Assessment Framework (RAF)''' is an approach for prioritizing and sharing information about the security risks posed to an information technology organization. The information should be presented in a way that both non-technical and technical personnel in the group can understand. The view on RAF provides assistance to organizations in identifying and locating both low and high-risk areas in the system that may be susceptible to abuse or attack.<ref>[https://www.techopedia.com/definition/14010/risk-assessment-framework-raf Defining Risk Assessment Framework (RAF)]</ref>
  
Assessing and [[Risk Management|managing risk]] is a high priority for many organizations, and given the turbulent state of [[Information Security|information security]] vulnerabilities and the need to be [[Compliance|compliant with so many regulations]], it's a huge challenge.
+
Assessing and managing risk is a high priority for many organizations, and given the turbulent state of information security vulnerabilities and the need to be compliant with so many regulations, it's a huge challenge.
  
Several formal IT risk-assessment frameworks have emerged over the years to help guide security and risk executives through the process. These include:<ref>Formal IT risk assessment frameworks [http://www.csoonline.com/article/2125140/metrics-budgets/it-risk-assessment-frameworks--real-world-experience.html cso online]</ref><br />
+
Several formal IT risk-assessment frameworks have emerged over the years to help guide security and risk executives through the process. These include:<ref>[http://www.csoonline.com/article/2125140/metrics-budgets/it-risk-assessment-frameworks--real-world-experience.html Formal IT risk assessment frameworks]</ref><br />
*[[OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)|Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)]]
+
*Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
*[[Factor Analysis of Information Risk (FAIR)]]
+
*Factor Analysis of Information Risk (FAIR)
*[[Risk_Management_Framework_(RMF)|National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF)]]
+
*NIST Risk Management Framework (RMF)
*[[Threat Agent Risk Assessment (TARA)]], a recent creation
+
*Threat Agent Risk Assessment (TARA), a recent creation
  
  
'''Risk Assessment Template Best Practices'''<br />
+
== Risk Assessment Template Best Practices ==
[[Risk Assessment|Risk assessments]] are plagued by subjectivity which means they simply cannot be relied upon to meet their objective. Subjectivity prevents the risk assessments from being used across business silos and makes verification by audit or compliance review impossible. Subjectivity can be overcome by using a risk assessment template framework with the following best practice attributes:<br />
+
Risk assessments are plagued by subjectivity which means they simply cannot be relied upon to meet their objective. Subjectivity prevents risk assessments from being used across business silos and makes verification by audit or compliance review impossible. Subjectivity can be overcome by using a risk assessment template framework with the following best practice attributes:
 
+
*'''Adopt a uniform numerical scale''': Use a scale of 1 to 10, Scoring is based on a scale from 1 to 10, with 10 having the most unfavorable consequences to the organization, split into 5 buckets to provide a high and low of each bucket. (1-2, 3-4, 5-6, etc). Using a 10 scale makes the math easy and having only 5 buckets gives folks doing assessments flexibility to select the high or low of the 5 buckets.
'''Adopt a uniform numerical scale'''Use a scale of 1 to 10, Scoring is based on a scale from 1 to 10, with 10 having the most unfavorable consequences to the organization, split into 5 buckets to provide a high and low of each bucket. (1-2, 3-4, 5-6, etc). Using a 10 scale makes the math easy and having only 5 buckets gives folks doing assessments flexibility to select the high or low of the 5 buckets.<br />
+
*'''Define objective evaluation criteria''': Often, one person’s 9 is another person’s 7. You need to provide a clear definition of what each of the 5 buckets is, in unambiguous terms. You can choose multiple ways of expressing severity, both qualitative and quantitative, such as financial, legal, strategic, etc., yet only one of the criteria listed for a specific level has to be met in order to rate a factor at that level. Any set of standards can be compared, including laws, regulations, and corporate policies and procedures, with current practices. Any qualitative criterion can be given a score to become quantitative and comparable across the enterprise.
'''Define objective evaluation criteria'''<br />Often, one person’s 9 is another person’s 7. You need to provide clear definition on what each of the 5 buckets are in unambiguous terms. You can chose multiple ways of expressing severity, both qualitative and quantitative, such as financial, legal, strategic, etc., yet only one of the criteria listed for a specific level has to be met in order to rate a factor at that level. Any set of standards can be compared, including laws, regulations and corporate policies and procedures, with current practices. Any qualitative criterion can be given a score to become quantitative and comparable across the enterprise.<br />
+
*'''Calibrate assessment criteria''': Although a variety of risk assessment criteria is used, all these should be on a 1-10 scale and calibrated, meaning that the description of a 7, even if described differently in different risk assessment criteria has the same meaning of severity. This allows the aggregation of assessments to provide a holistic view of risk.
'''Calibrate assessment criteria''' Although a variety of risk assessment criteria is used, all these should be on a 1-10 scale and calibrated, meaning that the description of a 7, even if described differently in different risk assessment criteria has the same meaning of severity. This allows the aggregation of assessments to provide a holistic view of risk.<br />
+
*'''Use universal business elements''': Break down risk assessments into basic elements like business processes and resources that are standardized across business silos or business units. Risk assessing vendor characteristics separately from the products and services they sell will produce risk assessments that make it easy to identify and maintain objectivity as changes occur like mergers and acquisitions or new product introductions, etc.
'''Use universal business elements '''Break down risk assessments into basic elements like business processes and resources that are standardized across business silos, or business units. Risk assessing vendor characteristics separately from the products and services they sell will produce risk assessments that make it easy to identify and maintain objectivity as changes occur like mergers and acquisitions or new product introductions, etc..<br />
+
*'''Link risk assessment templates''': Link elements together, meaning connect vendors to the products and services they provide to the business processes that rely upon them. Link each financial element to the business processes that contribute to them. Link all of the internally developed applications and data repositories to the business processes that rely upon them to perform their responsibilities. Linking these elements together enables risk assessment data to then be easily aggregated and reported using these linked relationships to provide a holistic picture of all your risk assessment template results. For example, a vendor can have multiple products and services of different quality and risk. Risk assessing the products and services individually and linking those assessments to the vendor profile provides a much clearer picture of the combination of products services and vendors used by a processes owner. The result is a single overall summary score for each business process that combines the individual scores for each resource and financial item associated with that process and the process score itself. With this information, you can prioritize and focus your ERM efforts.
'''Link risk assessment templates ''' Link elements together, meaning connect vendors to the products and services they provide to the business processes that rely upon them. Link each financial element to the business processes that contribute to them. Link all of the internally developed applications and data repositories to the business processes that rely upon them to perform their responsibilities.
 
 
 
Linking these elements together enables risk assessment data to then be easily aggregated and reported using these linked relationships to provide a holistic picture of all your risk assessment template results. For example, a vendor can have multiple products and services of different quality and risk. Risk assessing the products and services individually and linking those assessments to the vendor profile provides a much clearer picture on the combination of products services and vendors used by a processes owner.
 
 
 
The result is a single overall summary score for each business process that combines the individual scores for each resources and financial item associated with that process and the process score itself. With this information, you can prioritize and focus your ERM efforts.
 
  
  
 
== See Also ==
 
== See Also ==
[[Risk]]<br />
+
*[[OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)]]
[[Risk Analysis]]<br />
+
*[[Risk Management Framework (RMF)|NIST Risk Management Framework (RMF)]]
[[Risk Assessment]]<br />
+
*[[Factor Analysis of Information Risk (FAIR)]]
[[Risk Management]]<br />
+
*[[Threat Agent Risk Assessment (TARA)]]
[[Information Technology Risk (IT Risk)]]<br />
 
[[Enterprise Risk Management (ERM)]]<br />
 
[[Risk IT Framework]]<br />
 
[[Risk Based Testing]]<br />
 
[[Risk-Adjusted Return]]<br />
 
[[Risk-Adjusted Return on Capital (RAROC)]]<br />
 
[[Risk Matrix]]<br />
 
[[Risk Maturity]]<br />
 
[[Risk Maturity Model (RMM)]]<br />
 
[[Risk Mitigation]]
 
  
  
 
== References ==
 
== References ==
 
<references />
 
<references />
 +
__NOTOC__

Latest revision as of 16:42, 20 January 2023

What is Risk Assessment Framework (RAF)?

A Risk Assessment Framework (RAF) is an approach for prioritizing and sharing information about the security risks posed to an information technology organization. The information should be presented in a way that both non-technical and technical personnel in the group can understand. The view on RAF provides assistance to organizations in identifying and locating both low and high-risk areas in the system that may be susceptible to abuse or attack.[1]

Assessing and managing risk is a high priority for many organizations, and given the turbulent state of information security vulnerabilities and the need to be compliant with so many regulations, it's a huge challenge.

Several formal IT risk-assessment frameworks have emerged over the years to help guide security and risk executives through the process. These include:[2]

  • Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
  • Factor Analysis of Information Risk (FAIR)
  • NIST Risk Management Framework (RMF)
  • Threat Agent Risk Assessment (TARA), a recent creation


Risk Assessment Template Best Practices

Risk assessments are plagued by subjectivity which means they simply cannot be relied upon to meet their objective. Subjectivity prevents risk assessments from being used across business silos and makes verification by audit or compliance review impossible. Subjectivity can be overcome by using a risk assessment template framework with the following best practice attributes:

  • Adopt a uniform numerical scale: Use a scale of 1 to 10, Scoring is based on a scale from 1 to 10, with 10 having the most unfavorable consequences to the organization, split into 5 buckets to provide a high and low of each bucket. (1-2, 3-4, 5-6, etc). Using a 10 scale makes the math easy and having only 5 buckets gives folks doing assessments flexibility to select the high or low of the 5 buckets.
  • Define objective evaluation criteria: Often, one person’s 9 is another person’s 7. You need to provide a clear definition of what each of the 5 buckets is, in unambiguous terms. You can choose multiple ways of expressing severity, both qualitative and quantitative, such as financial, legal, strategic, etc., yet only one of the criteria listed for a specific level has to be met in order to rate a factor at that level. Any set of standards can be compared, including laws, regulations, and corporate policies and procedures, with current practices. Any qualitative criterion can be given a score to become quantitative and comparable across the enterprise.
  • Calibrate assessment criteria: Although a variety of risk assessment criteria is used, all these should be on a 1-10 scale and calibrated, meaning that the description of a 7, even if described differently in different risk assessment criteria has the same meaning of severity. This allows the aggregation of assessments to provide a holistic view of risk.
  • Use universal business elements: Break down risk assessments into basic elements like business processes and resources that are standardized across business silos or business units. Risk assessing vendor characteristics separately from the products and services they sell will produce risk assessments that make it easy to identify and maintain objectivity as changes occur like mergers and acquisitions or new product introductions, etc.
  • Link risk assessment templates: Link elements together, meaning connect vendors to the products and services they provide to the business processes that rely upon them. Link each financial element to the business processes that contribute to them. Link all of the internally developed applications and data repositories to the business processes that rely upon them to perform their responsibilities. Linking these elements together enables risk assessment data to then be easily aggregated and reported using these linked relationships to provide a holistic picture of all your risk assessment template results. For example, a vendor can have multiple products and services of different quality and risk. Risk assessing the products and services individually and linking those assessments to the vendor profile provides a much clearer picture of the combination of products services and vendors used by a processes owner. The result is a single overall summary score for each business process that combines the individual scores for each resource and financial item associated with that process and the process score itself. With this information, you can prioritize and focus your ERM efforts.


See Also


References

  1. Defining Risk Assessment Framework (RAF)
  2. Formal IT risk assessment frameworks
Retrieved from "https://cio-wiki.org//index.php?title=Risk_Assessment_Framework_(RAF)&oldid=14546"