Source: Infosecurity Magazine
23 Aug 2017
The Information Security Forum (ISF) has updated its risk assessment methodology to address better threat profiling and vulnerability assessment, among other things.
The ISF’s Information Risk Assessment Methodology version 2 (IRAM2) is a practical methodology that helps businesses to identify, analyze and treat information risk throughout the organization. In the updated version, “react and prepare” have been incorporated into the supporting information used during the threat profiling phase, including the common threat list (CTL) and the threat event catalogue (TEC).
Also, on the vulnerability front, the previous IRAM2 control library, consisting of 29 controls, has been replaced with a more comprehensive set of 167 controls based on The Standard of Good Practice for Information Security and the Security Healthcheck. The approach for determining control strength also now includes the extent of ‘relevance’ and ‘implementation’ of environmental controls. This enhanced approach is supported with the introduction of control relevance tables (CRT) to provide objectivity and repeatability.Read Full Article