The Group's Security Forum published the second report in a three-part series, yesterday. Called Technical Requirements for Risk Management Methodologies, it identifies the key characteristic that make up an effective methodology.
The report recommends a taxonomy for risk, to help define commonly-used terms, and also says that a risk assessment methodology should be probabilistic. "Ultimately a statement concerning risk is a belief statement," it advises.
Testing accuracy of risk assessments against historical evidence is key to ensuring an accurate methodology, the report says, adding that consistency when used by different analysts, defensibility, and conciseness are also important. Those seeking a suitable risk assessment methodology should also ensure that it is logical, and actionable.
The report also discusses the relative merits of quantitative vs qualitative risk analysis, and explores concepts such as sampling, and root cause analysis.
The Group is also working on a new XML-based standard for compliance reporting. ACEML will let security professionals work together with risk managers more effectively, it said. The work on that standard is being conducted in parallel with a separate effort to update its auditing reporting standard, called XDAS. This standard, designed to help with log management, will be adapted to make audit records more descriptive.
The next deliverable from the Open Group's Security Forum will focus on the implementation of the Factor Analysis of Information Risk (FAIR), which is a methodology developed by Risk Management Insight.