Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Strengths & Limitations of Risk Management Standards


Published on

Much airtime is given to various standards for information security and risk management, but how much value can really be derived from them? At what point do they cross the line from "useful" to "too much effort and cost"? How can you best leverage standards to improve quality and performance? These questions, and more, will be addressed in this session as we explore the most common standards and how to best leverage them in managing the operational risk portfolio.

Published in: Technology
  • Login to see the comments

  • Be the first to like this

The Strengths & Limitations of Risk Management Standards

  1. 1. The Strengths & Limitations of Risk Management Standards TOG Baltimore, July 20, 2015 Ben Tomhave
  2. 2. Let’s be frank… Frank Gehry responds to critics during a press conference in Oviedo, Spain Photo via: Faro de Vigo
  3. 3. Standards, while useful, are no panacea.
  4. 4. The strength of standards is that they provide a reasonable, common starting point.
  5. 5. Key Limitations By virtue of being generalized to a relatively broad audience… 1. Standards, and their associated frameworks, require customization and are rarely directly implementable. 1. As a result, while standards do provide the starting point for an effort, they still require expending resources to achieve a desirable result.
  6. 6. What are we talking about? • Standards related to cybersecurity and risk management. Not protocols. • Typically large, general-purpose works. • Examples: – ISACA’s COBIT 5 – ISO 31000 and 27000 series – NIST SP/FIPS/etc. – Standards from orgs like TOG (e.g, Open FAIR)
  8. 8. ISACA’s COBIT 5
  9. 9. COBIT 5 Details… • The primary standard is hundreds of pages long, and overall is a collection of several documents. • “COBIT 5 for Risk” alone is 244 pages. • This is incredibly unwieldy!
  10. 10. COBIT 5 Risk Response Workflow
  11. 11. ISO 31000
  12. 12. ISO 27005
  13. 13. NIST RMF
  14. 14. NIST SP800-39 “Managing Information Security Risk”
  15. 15. NIST SP800-39 “Managing Information Security Risk”
  16. 16. NIST SP800-30 “Guide for Conducting Risk Assessments”
  17. 17. NIST SP800-30 “Guide for Conducting Risk Assessments”
  18. 18. NIST SP800-30 (3 of 3) “Guide for Conducting Risk Assessments”
  19. 19. Lessons from NIST? • There’s a LOT to the standards. • There’s a lot of misunderstanding, too. • You still need to do “stuff”… • In fact, if under FISMA, you have a LOT to do. • In private industry, take time to understand.
  20. 20. TOG’s OpenFAIR
  21. 21. Closing thoughts • Standards are useful, but no panacea. • Standards can reduce some planning efforts, but still require work. • Semper Gumby!
  22. 22. Bonus Point! Right-Sizing: Just how much do you need?? Is… Data Value + System Value + Resilience/Defensibility …generally adequate?
  23. 23. Ben Tomhave  @falconsview 