For many years now, the information security industry has attempted to adapt existing Risk Management practices for the task of managing information security. Numerous frameworks have been devised over the years, including FAIR, OCTAVE, ISO 27001/27005 and NIST 800-53/NIST 800-39, just to name a few.
Challenge with the Current Models
While each of these existing frameworks has a number of strengths, SecureState has found most clients have a great deal of difficulty in implementing any of them. To address this, SecureState has devised its own “iRisk Equation,” designed to provide organizations with a risk management approach which is relatively easy and inexpensive to begin implementing and can be improved over time as additional information is gathered about the organization’s environment. Most existing frameworks such as FAIR and OCTAVE are proprietary and cannot be truly evaluated without first making an investment. Others like NIST 800-30 are free and available to anyone interested, but difficult to alter.
Open the Way
SecureState recognizes that no approach to security risk management is flawless, and as a result, we have chosen a unique approach which will make it easy to gather feedback and continually improve the iRisk framework over time. The open source model has allowed collaborative software projects like the Linux kernel and the Apache web server to achieve low-cost, high-quality results and quickly adapt to the needs of the marketplace. Likewise, in the fast-moving world of information security, this approach has become very familiar to those developing attack tools like Metasploit and Nmap, and even applied to frameworks like the Open Web Application Security Project (OWASP) and the Penetration Testing Execution Standard (PTES).
The iRisk equation and framework as outlined on the SecureState wiki is only the starting point for iRisk. SecureState is soliciting feedback and input from anyone and everyone in the security community with an interest in using and building a better framework for managing security risk.
How to Get Involved
The centerpiece involving the community in this effort is a publically available wiki which can be accessed at http://community.securestate.com/. Each component of the iRisk equation is broken down on its own page within this wiki, where feedback can be easily provided by interested community members. Anyone who wishes to become a contributor to the project simply needs to create an account on the wiki. Once the account is created SecureState will verify you are a real person, grant edit access to the wiki and provide some guidelines on the editing process. We’ll also add you to a mailing list for project updates and upcoming project calls.
We look forward to your feedback and involvement in this project.