A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about
the security risks to an information technology (IT) infrastructure.
A good RAF organizes and presents information in a way that both technical and non-technical
personnel can understand. It has three important components: a shared vocabulary, consistent
assessment methods and a reporting system.
The common view an RAF provides helps an organization see which of its systems are at low risk
for abuse or attack and which are at high risk. The data an RAF provides is useful for addressing
potential threats pro-actively, planning budgets and creating a culture in which the value of data
is understood and appreciated.
There are several risk assessment frameworks that are accepted as industry standards
- Risk Management Guide for Information Technology Systems (NIST guide) from the National
Institute of Standards.
- Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) from the Computer
Emergency Readiness Team.
- Control Objectives for Information and related Technology (COBIT) from the Information Systems
Audit and Control Association.
To create a risk management framework, an organization can use or modify the NIST guide, OCTAVE
or COBIT or create a framework
inhouse that fits the organization's business requirements. However the framework is built, it
1. Inventory and categorize all IT assets.
Assets include hardware, software, data, processes and interfaces to external systems.
2. Identify threats.
Natural disasters or power outages should be considered in addition to threats such as malicious access to systems or malware attacks.
3. Identify corresponding vulnerabilities.
Data about vulnerabilities can be obtained from security testing and system scans. Anecdotal information about known software and/or vendor issues should also be considered.
4. Prioritize potential risks.
Prioritization has three sub-phases: evaluating existing security controls, determining the likelihood and impact of a breach based on those controls, and assigning risk levels.
5. Document risks and determine action.
This is an on-going process, with a pre-determined schedule for issuing reports. The report should document the risk level for all IT assests, define what level of risk an organization is willing to tolerate and accept and identify procedures at each risk level for implementing and maintaining security controls.