Risk Assessment Framework (RAF) - Revision history

User at 16:42, 20 January 2023

2023-01-20T16:42:37Z

User: The LinkTitles extension automatically added links to existing pages (https://github.com/bovender/LinkTitles).

2021-02-06T18:05:17Z

The LinkTitles extension automatically added links to existing pages (https://github.com/bovender/LinkTitles).

User at 18:44, 20 March 2020

2020-03-20T18:44:23Z

User at 17:09, 19 March 2020

2020-03-19T17:09:35Z

User at 20:04, 25 September 2019

2019-09-25T20:04:15Z

User: A risk assessment framework (RAF) is an approach for prioritizing and sharing information about the security risks posed to an information technology organization.

2019-01-05T14:53:20Z

A risk assessment framework (RAF) is an approach for prioritizing and sharing information about the security risks posed to an information technology organization.

New page

A risk assessment framework (RAF) is an approach for prioritizing and sharing information about the security risks posed to an information technology organization. The information should be presented in a way that both non-technical and technical personnel in the group can understand. The view on the RAF provides assistance to organizations in identifying and locating both low and high-risk areas in the system that may be susceptible to abuse or attack.<ref>Defining Risk Assessment Framework (RAF) [https://www.techopedia.com/definition/14010/risk-assessment-framework-raf Techopedia]</ref>

Assessing and managing risk is a high priority for many organizations, and given the turbulent state of information security vulnerabilities and the need to be compliant with so many regulations, it's a huge challenge.

Several formal IT risk-assessment frameworks have emerged over the years to help guide security and risk executives through the process. These include:<ref>Formal IT risk assessment frameworks [http://www.csoonline.com/article/2125140/metrics-budgets/it-risk-assessment-frameworks--real-world-experience.html cso online]</ref> 
*Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
*Factor Analysis of Information Risk (FAIR)
*[[Risk_Management_Framework_(RMF)|National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF)]]
*Threat Agent Risk Assessment (TARA), a recent creation

'''Risk Assessment Template Best Practices''' 
Risk assessments are plagued by subjectivity which means they simply cannot be relied upon to meet their objective. Subjectivity prevents the risk assessments from being used across business silos and makes verification by audit or compliance review impossible. Subjectivity can be overcome by using a risk assessment template framework with the following best practice attributes: 

'''Adopt a uniform numerical scale'''Use a scale of 1 to 10, Scoring is based on a scale from 1 to 10, with 10 having the most unfavorable consequences to the organization, split into 5 buckets to provide a high and low of each bucket. (1-2, 3-4, 5-6, etc). Using a 10 scale makes the math easy and having only 5 buckets gives folks doing assessments flexibility to select the high or low of the 5 buckets. 
'''Define objective evaluation criteria''' Often, one person’s 9 is another person’s 7. You need to provide clear definition on what each of the 5 buckets are in unambiguous terms. You can chose multiple ways of expressing severity, both qualitative and quantitative, such as financial, legal, strategic, etc., yet only one of the criteria listed for a specific level has to be met in order to rate a factor at that level. Any set of standards can be compared, including laws, regulations and corporate policies and procedures, with current practices. Any qualitative criterion can be given a score to become quantitative and comparable across the enterprise. 
'''Calibrate assessment criteria''' Although a variety of risk assessment criteria is used, all these should be on a 1-10 scale and calibrated, meaning that the description of a 7, even if described differently in different risk assessment criteria has the same meaning of severity. This allows the aggregation of assessments to provide a holistic view of risk. 
'''Use universal business elements '''Break down risk assessments into basic elements like business processes and resources that are standardized across business silos, or business units. Risk assessing vendor characteristics separately from the products and services they sell will produce risk assessments that make it easy to identify and maintain objectivity as changes occur like mergers and acquisitions or new product introductions, etc.. 
'''Link risk assessment templates ''' Link elements together, meaning connect vendors to the products and services they provide to the business processes that rely upon them. Link each financial element to the business processes that contribute to them. Link all of the internally developed applications and data repositories to the business processes that rely upon them to perform their responsibilities.

Linking these elements together enables risk assessment data to then be easily aggregated and reported using these linked relationships to provide a holistic picture of all your risk assessment template results. For example, a vendor can have multiple products and services of different quality and risk. Risk assessing the products and services individually and linking those assessments to the vendor profile provides a much clearer picture on the combination of products services and vendors used by a processes owner.

The result is a single overall summary score for each business process that combines the individual scores for each resources and financial item associated with that process and the process score itself. With this information, you can prioritize and focus your ERM efforts.

===References===
<references />

@@ Line 1: / Line 1: @@
-A '''Risk Assessment [[Framework]] (RAF)''' is an approach for prioritizing and sharing information about the security risks posed to an [[Information Technology (IT)|information technology]] [[organization]]. The information should be presented in a way that both non-technical and technical personnel in the group can understand. The view on the RAF provides assistance to [[Organization|organizations]] in identifying and locating both low and high-[[Risk|risk]] areas in the [[system]] that may be susceptible to abuse or attack.<ref>Defining Risk Assessment Framework (RAF) [https://www.techopedia.com/definition/14010/risk-assessment-framework-raf Techopedia]</ref>
+== What is Risk Assessment Framework (RAF)? ==
-Assessing and [[Risk Management|managing risk]] is a high priority for many organizations, and given the turbulent state of [[Information Security|information security]] vulnerabilities and the need to be [[Compliance|compliant with so many regulations]], it's a huge challenge.
+Assessing and managing risk is a high priority for many organizations, and given the turbulent state of information security vulnerabilities and the need to be compliant with so many regulations, it's a huge challenge.
-Several formal IT risk-assessment frameworks have emerged over the years to help guide security and risk executives through the [[process]]. These include:<ref>Formal IT risk assessment frameworks [http://www.csoonline.com/article/2125140/metrics-budgets/it-risk-assessment-frameworks--real-world-experience.html cso online]</ref><br />
+Several formal IT risk-assessment frameworks have emerged over the years to help guide security and risk executives through the process. These include:<ref>[http://www.csoonline.com/article/2125140/metrics-budgets/it-risk-assessment-frameworks--real-world-experience.html Formal IT risk assessment frameworks]</ref><br />
-*[[OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)|Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)]]
+*Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
-*[[Factor Analysis of Information Risk (FAIR)]]
+*Factor Analysis of Information Risk (FAIR)
-*[[Risk_Management_Framework_(RMF)|National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF)]]
+*NIST Risk Management Framework (RMF)
-*[[Threat Agent Risk Assessment (TARA)]], a recent creation
+*Threat Agent Risk Assessment (TARA), a recent creation
-'''Risk Assessment [[Template]] Best Practices'''<br />
+== Risk Assessment Template Best Practices ==
-[[Risk Assessment|Risk assessments]] are plagued by subjectivity which means they simply cannot be relied upon to meet their [[objective]]. Subjectivity prevents the risk assessments from being used across [[business]] silos and makes verification by audit or [[compliance]] review impossible. Subjectivity can be overcome by using a risk assessment template framework with the following best practice attributes:<br />
+Risk assessments are plagued by subjectivity which means they simply cannot be relied upon to meet their objective. Subjectivity prevents risk assessments from being used across business silos and makes verification by audit or compliance review impossible. Subjectivity can be overcome by using a risk assessment template framework with the following best practice attributes:
+*'''Adopt a uniform numerical scale''': Use a scale of 1 to 10, Scoring is based on a scale from 1 to 10, with 10 having the most unfavorable consequences to the organization, split into 5 buckets to provide a high and low of each bucket. (1-2, 3-4, 5-6, etc). Using a 10 scale makes the math easy and having only 5 buckets gives folks doing assessments flexibility to select the high or low of the 5 buckets.
-'''Adopt a uniform numerical scale'''Use a scale of 1 to 10, Scoring is based on a scale from 1 to 10, with 10 having the most unfavorable consequences to the organization, split into 5 buckets to provide a high and low of each bucket. (1-2, 3-4, 5-6, etc). Using a 10 scale makes the math easy and having only 5 buckets gives folks doing assessments flexibility to select the high or low of the 5 buckets.<br />
+*'''Define objective evaluation criteria''': Often, one person’s 9 is another person’s 7. You need to provide a clear definition of what each of the 5 buckets is, in unambiguous terms. You can choose multiple ways of expressing severity, both qualitative and quantitative, such as financial, legal, strategic, etc., yet only one of the criteria listed for a specific level has to be met in order to rate a factor at that level. Any set of standards can be compared, including laws, regulations, and corporate policies and procedures, with current practices. Any qualitative criterion can be given a score to become quantitative and comparable across the enterprise.
-'''Define objective [[evaluation]] criteria'''<br />Often, one person’s 9 is another person’s 7. You need to provide clear definition on what each of the 5 buckets are in unambiguous terms. You can chose multiple ways of expressing severity, both qualitative and quantitative, such as financial, legal, strategic, etc., yet only one of the criteria listed for a specific level has to be met in order to rate a factor at that level. Any set of standards can be compared, including laws, regulations and corporate policies and procedures, with current practices. Any qualitative criterion can be given a score to become quantitative and comparable across the enterprise.<br />
+*'''Calibrate assessment criteria''': Although a variety of risk assessment criteria is used, all these should be on a 1-10 scale and calibrated, meaning that the description of a 7, even if described differently in different risk assessment criteria has the same meaning of severity. This allows the aggregation of assessments to provide a holistic view of risk.
-'''Calibrate assessment criteria''' Although a variety of risk assessment criteria is used, all these should be on a 1-10 scale and calibrated, meaning that the description of a 7, even if described differently in different risk assessment criteria has the same meaning of severity. This allows the aggregation of assessments to provide a holistic view of risk.<br />
+*'''Use universal business elements''': Break down risk assessments into basic elements like business processes and resources that are standardized across business silos or business units. Risk assessing vendor characteristics separately from the products and services they sell will produce risk assessments that make it easy to identify and maintain objectivity as changes occur like mergers and acquisitions or new product introductions, etc.
-'''Use universal business elements '''Break down risk assessments into basic elements like business processes and resources that are standardized across business silos, or business units. Risk assessing [[vendor]] characteristics separately from the products and services they sell will produce risk assessments that make it easy to identify and maintain objectivity as changes occur like mergers and acquisitions or new [[product]] introductions, etc..<br />
+*'''Link risk assessment templates''': Link elements together, meaning connect vendors to the products and services they provide to the business processes that rely upon them. Link each financial element to the business processes that contribute to them. Link all of the internally developed applications and data repositories to the business processes that rely upon them to perform their responsibilities. Linking these elements together enables risk assessment data to then be easily aggregated and reported using these linked relationships to provide a holistic picture of all your risk assessment template results. For example, a vendor can have multiple products and services of different quality and risk. Risk assessing the products and services individually and linking those assessments to the vendor profile provides a much clearer picture of the combination of products services and vendors used by a processes owner. The result is a single overall summary score for each business process that combines the individual scores for each resource and financial item associated with that process and the process score itself. With this information, you can prioritize and focus your ERM efforts.
 == See Also ==
-[[Risk]]<br />
+*[[OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)]]
-[[Risk Analysis]]<br />
+*[[Risk Management Framework (RMF)|NIST Risk Management Framework (RMF)]]
-[[Risk Assessment]]<br />
+*[[Factor Analysis of Information Risk (FAIR)]]
-[[Risk Management]]<br />
+*[[Threat Agent Risk Assessment (TARA)]]
 == References ==
 <references />

@@ Line 1: / Line 1: @@
-A '''Risk Assessment Framework (RAF)''' is an approach for prioritizing and sharing information about the security risks posed to an [[Information Technology (IT)|information technology]] organization. The information should be presented in a way that both non-technical and technical personnel in the group can understand. The view on the RAF provides assistance to [[Organization|organizations]] in identifying and locating both low and high-[[Risk|risk]] areas in the system that may be susceptible to abuse or attack.<ref>Defining Risk Assessment Framework (RAF) [https://www.techopedia.com/definition/14010/risk-assessment-framework-raf Techopedia]</ref>
+A '''Risk Assessment [[Framework]] (RAF)''' is an approach for prioritizing and sharing information about the security risks posed to an [[Information Technology (IT)|information technology]] [[organization]]. The information should be presented in a way that both non-technical and technical personnel in the group can understand. The view on the RAF provides assistance to [[Organization|organizations]] in identifying and locating both low and high-[[Risk|risk]] areas in the [[system]] that may be susceptible to abuse or attack.<ref>Defining Risk Assessment Framework (RAF) [https://www.techopedia.com/definition/14010/risk-assessment-framework-raf Techopedia]</ref>
 Assessing and [[Risk Management|managing risk]] is a high priority for many organizations, and given the turbulent state of [[Information Security|information security]] vulnerabilities and the need to be [[Compliance|compliant with so many regulations]], it's a huge challenge.
-Several formal IT risk-assessment frameworks have emerged over the years to help guide security and risk executives through the process. These include:<ref>Formal IT risk assessment frameworks [http://www.csoonline.com/article/2125140/metrics-budgets/it-risk-assessment-frameworks--real-world-experience.html cso online]</ref><br />
+Several formal IT risk-assessment frameworks have emerged over the years to help guide security and risk executives through the [[process]]. These include:<ref>Formal IT risk assessment frameworks [http://www.csoonline.com/article/2125140/metrics-budgets/it-risk-assessment-frameworks--real-world-experience.html cso online]</ref><br />
 *[[OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)|Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)]]
 *[[Factor Analysis of Information Risk (FAIR)]]
@@ Line 10: / Line 10: @@
-'''Risk Assessment Template Best Practices'''<br />
+'''Risk Assessment [[Template]] Best Practices'''<br />
-[[Risk Assessment|Risk assessments]] are plagued by subjectivity which means they simply cannot be relied upon to meet their objective. Subjectivity prevents the risk assessments from being used across business silos and makes verification by audit or compliance review impossible. Subjectivity can be overcome by using a risk assessment template framework with the following best practice attributes:<br />
+[[Risk Assessment|Risk assessments]] are plagued by subjectivity which means they simply cannot be relied upon to meet their [[objective]]. Subjectivity prevents the risk assessments from being used across [[business]] silos and makes verification by audit or [[compliance]] review impossible. Subjectivity can be overcome by using a risk assessment template framework with the following best practice attributes:<br />
 '''Adopt a uniform numerical scale'''Use a scale of 1 to 10, Scoring is based on a scale from 1 to 10, with 10 having the most unfavorable consequences to the organization, split into 5 buckets to provide a high and low of each bucket. (1-2, 3-4, 5-6, etc). Using a 10 scale makes the math easy and having only 5 buckets gives folks doing assessments flexibility to select the high or low of the 5 buckets.<br />
-'''Define objective evaluation criteria'''<br />Often, one person’s 9 is another person’s 7. You need to provide clear definition on what each of the 5 buckets are in unambiguous terms. You can chose multiple ways of expressing severity, both qualitative and quantitative, such as financial, legal, strategic, etc., yet only one of the criteria listed for a specific level has to be met in order to rate a factor at that level. Any set of standards can be compared, including laws, regulations and corporate policies and procedures, with current practices. Any qualitative criterion can be given a score to become quantitative and comparable across the enterprise.<br />
+'''Define objective [[evaluation]] criteria'''<br />Often, one person’s 9 is another person’s 7. You need to provide clear definition on what each of the 5 buckets are in unambiguous terms. You can chose multiple ways of expressing severity, both qualitative and quantitative, such as financial, legal, strategic, etc., yet only one of the criteria listed for a specific level has to be met in order to rate a factor at that level. Any set of standards can be compared, including laws, regulations and corporate policies and procedures, with current practices. Any qualitative criterion can be given a score to become quantitative and comparable across the enterprise.<br />
 '''Calibrate assessment criteria''' Although a variety of risk assessment criteria is used, all these should be on a 1-10 scale and calibrated, meaning that the description of a 7, even if described differently in different risk assessment criteria has the same meaning of severity. This allows the aggregation of assessments to provide a holistic view of risk.<br />
-'''Use universal business elements '''Break down risk assessments into basic elements like business processes and resources that are standardized across business silos, or business units. Risk assessing vendor characteristics separately from the products and services they sell will produce risk assessments that make it easy to identify and maintain objectivity as changes occur like mergers and acquisitions or new product introductions, etc..<br />
+'''Use universal business elements '''Break down risk assessments into basic elements like business processes and resources that are standardized across business silos, or business units. Risk assessing [[vendor]] characteristics separately from the products and services they sell will produce risk assessments that make it easy to identify and maintain objectivity as changes occur like mergers and acquisitions or new [[product]] introductions, etc..<br />
-'''Link risk assessment templates ''' Link elements together, meaning connect vendors to the products and services they provide to the business processes that rely upon them. Link each financial element to the business processes that contribute to them. Link all of the internally developed applications and data repositories to the business processes that rely upon them to perform their responsibilities.
+'''Link risk assessment templates ''' Link elements together, meaning connect vendors to the products and services they provide to the business processes that rely upon them. Link each financial element to the business processes that contribute to them. Link all of the internally developed applications and [[data]] repositories to the business processes that rely upon them to perform their responsibilities.
-Linking these elements together enables risk assessment data to then be easily aggregated and reported using these linked relationships to provide a holistic picture of all your risk assessment template results. For example, a vendor can have multiple products and services of different quality and risk. Risk assessing the products and services individually and linking those assessments to the vendor profile provides a much clearer picture on the combination of products services and vendors used by a processes owner.
+Linking these elements together enables risk assessment data to then be easily aggregated and reported using these linked relationships to provide a holistic picture of all your risk assessment template results. For example, a vendor can have multiple products and services of different [[quality]] and risk. Risk assessing the products and services individually and linking those assessments to the vendor profile provides a much clearer picture on the combination of products services and vendors used by a processes owner.
 The result is a single overall summary score for each business process that combines the individual scores for each resources and financial item associated with that process and the process score itself. With this information, you can prioritize and focus your ERM efforts.

@@ Line 1: / Line 1: @@
-A '''Risk Assessment Framework (RAF)''' is an approach for prioritizing and sharing information about the security risks posed to an information technology organization. The information should be presented in a way that both non-technical and technical personnel in the group can understand. The view on the RAF provides assistance to organizations in identifying and locating both low and high-risk areas in the system that may be susceptible to abuse or attack.<ref>Defining Risk Assessment Framework (RAF) [https://www.techopedia.com/definition/14010/risk-assessment-framework-raf Techopedia]</ref>
+A '''Risk Assessment Framework (RAF)''' is an approach for prioritizing and sharing information about the security risks posed to an [[Information Technology (IT)|information technology]] organization. The information should be presented in a way that both non-technical and technical personnel in the group can understand. The view on the RAF provides assistance to [[Organization|organizations]] in identifying and locating both low and high-[[Risk|risk]] areas in the system that may be susceptible to abuse or attack.<ref>Defining Risk Assessment Framework (RAF) [https://www.techopedia.com/definition/14010/risk-assessment-framework-raf Techopedia]</ref>
-Assessing and managing risk is a high priority for many organizations, and given the turbulent state of information security vulnerabilities and the need to be compliant with so many regulations, it's a huge challenge.
+Assessing and [[Risk Management|managing risk]] is a high priority for many organizations, and given the turbulent state of [[Information Security|information security]] vulnerabilities and the need to be [[Compliance|compliant with so many regulations]], it's a huge challenge.
 Several formal IT risk-assessment frameworks have emerged over the years to help guide security and risk executives through the process. These include:<ref>Formal IT risk assessment frameworks [http://www.csoonline.com/article/2125140/metrics-budgets/it-risk-assessment-frameworks--real-world-experience.html cso online]</ref><br />
-*Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
+*[[OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)|Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)]]
-*Factor Analysis of Information Risk (FAIR)
+*[[Factor Analysis of Information Risk (FAIR)]]
 *[[Risk_Management_Framework_(RMF)|National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF)]]
-*Threat Agent Risk Assessment (TARA), a recent creation
+*[[Threat Agent Risk Assessment (TARA)]], a recent creation
 '''Risk Assessment Template Best Practices'''<br />
-Risk assessments are plagued by subjectivity which means they simply cannot be relied upon to meet their objective. Subjectivity prevents the risk assessments from being used across business silos and makes verification by audit or compliance review impossible. Subjectivity can be overcome by using a risk assessment template framework with the following best practice attributes:<br />
+[[Risk Assessment|Risk assessments]] are plagued by subjectivity which means they simply cannot be relied upon to meet their objective. Subjectivity prevents the risk assessments from being used across business silos and makes verification by audit or compliance review impossible. Subjectivity can be overcome by using a risk assessment template framework with the following best practice attributes:<br />
 '''Adopt a uniform numerical scale'''Use a scale of 1 to 10, Scoring is based on a scale from 1 to 10, with 10 having the most unfavorable consequences to the organization, split into 5 buckets to provide a high and low of each bucket. (1-2, 3-4, 5-6, etc). Using a 10 scale makes the math easy and having only 5 buckets gives folks doing assessments flexibility to select the high or low of the 5 buckets.<br />
@@ Line 25: / Line 25: @@
 == See Also ==
 [[Risk Analysis]]<br />
 [[Risk Assessment]]<br />
 [[Risk Management]]<br />
 [[Information Technology Risk (IT Risk)]]<br />
 [[Enterprise Risk Management (ERM)]]<br />

← Older revision		Revision as of 17:09, 19 March 2020
Line 1:		Line 1:
−	A ~~risk assessment framework~~ (RAF) is an approach for prioritizing and sharing information about the security risks posed to an information technology organization. The information should be presented in a way that both non-technical and technical personnel in the group can understand. The view on the RAF provides assistance to organizations in identifying and locating both low and high-risk areas in the system that may be susceptible to abuse or attack.<ref>Defining Risk Assessment Framework (RAF) [https://www.techopedia.com/definition/14010/risk-assessment-framework-raf Techopedia]</ref>	+	A '''Risk Assessment Framework (RAF)''' is an approach for prioritizing and sharing information about the security risks posed to an information technology organization. The information should be presented in a way that both non-technical and technical personnel in the group can understand. The view on the RAF provides assistance to organizations in identifying and locating both low and high-risk areas in the system that may be susceptible to abuse or attack.<ref>Defining Risk Assessment Framework (RAF) [https://www.techopedia.com/definition/14010/risk-assessment-framework-raf Techopedia]</ref>

	Assessing and managing risk is a high priority for many organizations, and given the turbulent state of information security vulnerabilities and the need to be compliant with so many regulations, it's a huge challenge.		Assessing and managing risk is a high priority for many organizations, and given the turbulent state of information security vulnerabilities and the need to be compliant with so many regulations, it's a huge challenge.

← Older revision		Revision as of 20:04, 25 September 2019
Line 24:		Line 24:


−	===References===	+	== See Also ==
		+	[[Risk Analysis]]<br />
		+	[[Risk Assessment]]<br />
		+	[[Risk Management]]<br />
		+	[[Risk Management Framework (RMF)]]<br />
		+	[[Information Technology Risk (IT Risk)]]<br />
		+	[[Enterprise Risk Management (ERM)]]<br />
		+	[[Risk IT Framework]]<br />
		+	[[Risk Based Testing]]<br />
		+	[[Risk-Adjusted Return]]<br />
		+	[[Risk-Adjusted Return on Capital (RAROC)]]<br />
		+	[[Risk Matrix]]<br />
		+	[[Risk Maturity]]<br />
		+	[[Risk Maturity Model (RMM)]]<br />
		+	[[Risk Mitigation]]
		+
		+
		+	== References ==
	<references />		<references />