Common Methods for Security Risk Analysis
Abstract
This document is the result of a study conducted to document the state of Canadian risk management. The study provides a history of Canada's initiatives with respect to risk management and investigates how Canada can augment the Working Group with its experiences and its future initiatives and opportunities. In addition, the study presents a comparison between the prevalent Canadian threat and risk assessment methodology (ITSG 04) and the recommendations of the National Institute of Standards and Technology Risk Management Guide for Information Technology Systems (NIST 800-30). Substantial evolution of risk management has occurred in the past few years, but the tools and documentation have been a significant impediment on further development. There is a definite need to standardize the TRA process and provide system owners with a useful and consistent tool to evaluate the risks to information and IT systems. The approach to a common framework is emphasized by the need for a common language. The provision of a shared set of concepts and vocabulary can only help unify the disparate terminologies that variant TRA approaches and methodologies have engendered. Equally valuable is the prospective TRA automation or partial automation. Automated tools were premature in the early days when risk management was first introduced. Practitioners have gained expertise and experience in the conduct of TRA. It is recognized that human intervention will most likely be required in any automated TRA, however partial automation may be an initial step toward a common framework.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jan 12, 2005
- Accession Number
- ADA436397
Entities
People
- Eugen Bacic
- Sylvie Malboeuf
- William Dziadyk
- William Sandberg-maitland