4. NIST Risk Management Framework
This is it: The Risk Management Framework (RMF) was developed by the US agency NIST (National Institute of Standards and Technology). This framework focuses on a comprehensive, reusable and measurable seven-step process to manage IT and data protection risks. A whole range of NIST’s own standards and guidelines are used to support the implementation of risk management initiatives.
This is what it can do: According to NIST, the RMF implements a process that integrates security, privacy and supply chain risk management activities into the system development lifecycle. The approach takes into account effectiveness, efficiency and restrictions imposed by applicable laws, directives, orders, guidelines, standards or regulations.
This is how it works: The seven-step process of the NIST RMF is divided into:
- essential activities to prepare the organization for managing security and privacy risks to prepare.
- Systems and data that are processed, stored and transmitted based on an impact analysis categorize.
- a series of control measures chooseto protect systems based on a risk assessment.
- Control measures implement – and document how this happens.
- Review control measures and evaluatewhether these work as desired.
- System operation based on a risk-based decision authorize.
- Implementation and system risks continuously monitor.
Good to know: The RMF provides a procedural and organized process to help organizations embed security into their overall risk management processes.
5. OCTAVE
This is it: OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation (PDF)) is a framework for identifying and managing cybersecurity risks. It was developed by the CERT team at Carnegie Mellon University in the USA.
This is what it can do: This risk assessment framework defines a comprehensive evaluation method. This not only enables companies to identify mission-critical IT assets, but also the threats associated with them and the vulnerabilities that make this possible.
This is how it works: According to those responsible, the compilation of IT assets, threats and vulnerabilities allows companies to penetrate which data is really at risk. Armed with this understanding, users can develop and implement a protection strategy to protect them sustainably.
Good to know: The OCTAVE framework is available in two versions.
- OCTAVE-S offers a simplified methodology aimed at smaller companies with flat hierarchical structures.
- OCTAVE Allegro, on the other hand, is a more comprehensive framework that is primarily suitable for large companies or those with complex structures.
6. TARA
This is it: TARA (Threat Assessment and Remediation Analysis) represents an engineering methodology that can be used to identify, evaluate and resolve security gaps. This framework was developed by the non-profit organization MITER.
This is what it can do: The framework is part of the MITER system portfolio, which is designed to address cybersecurity hygiene and the resilience of IT systems at the earliest possible stage (within the procurement process).
This is how it works: The TARA framework uses a data catalog to identify attack vectors that could be used to exploit system vulnerabilities and initiate potential countermeasures.
Good to know: TARA was originally developed in 2010 and has already been used in more than 30 cyber risk assessments. This framework is particularly suitable for risk studies that focus on security threats. (fm)
This article originally appeared at our sister publication CSOonline.com.
