Top Banner
The Strengths & Limitations of Risk Management Standards TOG Baltimore, July 20, 2015 Ben Tomhave
24

The Strengths & Limitations of Risk Management Standards

Aug 13, 2015

Download

Technology

Ben Tomhave

nist sp800

risk assessments

thoughts standards

strength of standards

nist rmf

risk response workflow

isacas cobit

series nist spfipsetc

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: The Strengths & Limitations of Risk Management Standards

The Strengths & Limitations of Risk Management Standards

TOG Baltimore, July 20, 2015Ben Tomhave

Page 2: The Strengths & Limitations of Risk Management Standards

Let’s be frank…

Frank Gehry responds to critics during a press conference in Oviedo, SpainPhoto via: Faro de Vigohttps://news.artnet.com/in-brief/frank-gehry-gives-spanish-critics-the-finger-143262

Page 3: The Strengths & Limitations of Risk Management Standards

Standards, while useful, are no panacea.

Page 4: The Strengths & Limitations of Risk Management Standards

The strength of standards is that they provide a reasonable,

common starting point.

Page 5: The Strengths & Limitations of Risk Management Standards

Key Limitations

By virtue of being generalized to a relatively broad audience…

1. Standards, and their associated frameworks, require customization and are rarely directly implementable.

2. As a result, while standards do provide the starting point for an effort, they still require expending resources to achieve a desirable result.

Page 6: The Strengths & Limitations of Risk Management Standards

What are we talking about?

• Standards related to cybersecurity and risk management. Not protocols.

• Typically large, general-purpose works.• Examples:– ISACA’s COBIT 5– ISO 31000 and 27000 series– NIST SP/FIPS/etc.– Standards from orgs like TOG (e.g, Open FAIR)

Page 7: The Strengths & Limitations of Risk Management Standards

LET’S DRILL-DOWN…

Page 8: The Strengths & Limitations of Risk Management Standards

ISACA’s COBIT 5

Page 9: The Strengths & Limitations of Risk Management Standards

COBIT 5 Details…

• The primary standard is hundreds of pages long, and overall is a collection of several documents.

• “COBIT 5 for Risk” alone is 244 pages.• This is incredibly unwieldy!

Page 10: The Strengths & Limitations of Risk Management Standards

COBIT 5 Risk Response Workflow

Page 11: The Strengths & Limitations of Risk Management Standards

ISO 31000

Page 12: The Strengths & Limitations of Risk Management Standards

ISO 27005

Page 13: The Strengths & Limitations of Risk Management Standards

NIST RMF

Page 14: The Strengths & Limitations of Risk Management Standards

NIST SP800-39“Managing Information Security Risk”

Page 15: The Strengths & Limitations of Risk Management Standards

NIST SP800-39“Managing Information Security Risk”

Page 16: The Strengths & Limitations of Risk Management Standards

NIST SP800-30“Guide for Conducting Risk Assessments”

Page 17: The Strengths & Limitations of Risk Management Standards

NIST SP800-30“Guide for Conducting Risk Assessments”

Page 18: The Strengths & Limitations of Risk Management Standards

NIST SP800-30 (3 of 3)“Guide for Conducting Risk Assessments”

Page 19: The Strengths & Limitations of Risk Management Standards

Lessons from NIST?

• There’s a LOT to the standards.• There’s a lot of misunderstanding, too.• You still need to do “stuff”…• In fact, if under FISMA, you have a LOT to do.• In private industry, take time to understand.

Page 20: The Strengths & Limitations of Risk Management Standards

TOG’s OpenFAIR

Page 21: The Strengths & Limitations of Risk Management Standards

Closing thoughts

• Standards are useful, but no panacea.• Standards can reduce some planning efforts,

but still require work.• Semper Gumby!

Page 22: The Strengths & Limitations of Risk Management Standards

Bonus Point!

Right-Sizing: Just how much do you need??

Is…

Data Value + System Value + Resilience/Defensibility

…generally adequate?

Page 23: The Strengths & Limitations of Risk Management Standards

Q & A?

Page 24: The Strengths & Limitations of Risk Management Standards

THANK YOU!

Ben Tomhave @falconsview [email protected]


Related Documents
Nurse staffing and patient outcomes: strengths and limitations of …20staffing... · 2019-12-16 · Nurse staffing and patient outcomes: strengths and limitations of the evidence

Nurse staffing and patient outcomes: strengths and...

Category: Documents
The O*NET content model: strengths and limitations O*NET content model: strengths and limitations 159 programs, and voluntary industry skills standards, as well as the traditional

The O*NET content model: strengths and limitations O*NET...

Category: Documents
Assessing the strengths and limitations of Business Model ...942100/FULLTEXT01.pdf · Assessing the strengths and limitations of Business Model Frameworks for Product Service Systems

Assessing the strengths and limitations of Business Model...

Category: Documents
The English Arbitration Act 1996: Strengths and Limitations. Nick Marsh

The English Arbitration Act 1996: Strengths and Limitations....

Category: Law
Opportunities and Limitations - Cornell University · Opportunities and Limitations. Bruce Lauber. Objectives ... Capacity – strengths and limitations ...

Opportunities and Limitations - Cornell University ·...

Category: Documents
Behavior Therapy: Redefining Strengths and Limitations€¦ · Behavior Therapy: Redefining Strengths and Limitations MARVIN R. GOLDFRIED State University of New York at Stony Brook

Behavior Therapy: Redefining Strengths and...

Category: Documents
Strengths and Limitations of Research Indicators GAO/RCED-97-91

Strengths and Limitations of Research Indicators...

Category: Documents
Squash Smear Cytology, CNS Lesions – Strengths and Limitations

Squash Smear Cytology, CNS Lesions – Strengths and...

Category: Documents
Strengths and limitations of a learner-centred approach to ...

Strengths and limitations of a learner-centred approach to.....

Category: Documents
Meta pitfalls: the strengths & limitations of meta-analysis.

Meta pitfalls: the strengths & limitations of meta-analysis.

Category: Education
Strengths and Limitations of Anatomical and Spectroscopic MRI in ...

Strengths and Limitations of Anatomical and Spectroscopic...

Category: Documents
Strengths and limitations of MST radar measurements of ... · Strengths and limitations of MST radar measurements of middle-atmosphere winds ... Abstract. Radars have ... Strengths

Strengths and limitations of MST radar measurements of...

Category: Documents