5 IT risk assessment frameworks compared

Formal risk assessment methodologies can help take guesswork out of evaluating IT risks if applied appropriately. Here is real-world feedback on using COBIT, OCTAVE, FAIR, NIST RMF, and TARA.

An engineer reviews strategy framework data.
Metamorworks / Getty Images

From a cybersecurity standpoint, organizations are operating in a high-risk world. The ability to assess and manage risk has perhaps never been more important. “Having a risk management framework is essential, because risk can never be totally eliminated; it can only be effectively managed,” says Arvind Raman, CISO at telecommunications company Mitel Networks. “When it isn’t, organizations will likely find themselves the target of a data breach or ransomware attack, or be vulnerable to any number of other security issues.”

The most critical consideration in selecting a framework is ensuring that it’s “fit for purpose” and best suited for the intended outcomes, says Andrew Retrum, managing director in the cybersecurity and privacy practice at consulting firm Protiviti. “It’s also beneficial to select frameworks that are well known and understood already within the organization,” Retrum says. “This enables more consistent and efficient use of the framework and allows individuals across the organization to speak a consistent language.”

There’s no shortage of risk-assessment frameworks organizations can leverage to help guide security and risk executives. Here's a look at some of the most prominent of these frameworks, each designed to address specific risk areas.

NIST Risk Management Framework

The Risk Management Framework (RMF) from the National Institute of Standards and Technology (NIST) provides a comprehensive, repeatable, and measurable seven-step process organizations can use to manage information security and privacy risk. It links to a suite of NIST standards and guidelines to support the implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).  

To continue reading this article register now

Microsoft's very bad year for security: A timeline