Open Group Seeks Universal Risk Management Taxonomy
The Open Group, a vendor- and technology-neutral consortium focused on open standards and global interoperability within and between enterprises, recently announced that the organization's Security Forum has initiated work on a risk management and analysis taxonomy standard. This is the first phase of a comprehensive initiative aimed at eliminating widespread industry confusion about risk management among risk managers, security and IT professionals, as well as business managers.
The Security Forum's focus on a risk management and analysis taxonomy is in direct response to the idea that risk analysis has historically been more art than science. Prior risk taxonomies used terms which were ill-defined, resulting in many inconsistent definitions and taxonomies within the information security landscape. None of these provided a clear and logical representation of the fundamental problem that the risk management profession must control -- the frequency and magnitude of loss.
"The Open Group Security Forum has chosen to start this standards work from its core -- understanding what 'risk' truly is," said Mike Jerbic, chairman, The Open Group Security Forum. "We believe that no significant progress can be made until we have a rigorous taxonomy for the terms and definitions we use in risk management.
The Open Group Security Forum's risk taxonomy will promote a consistent, tightly defined use of risk management terminology, in order to ensure a common understanding between different analysts and analysis methods. Misunderstandings of language and meaning often exist between senior management, personnel responsible for enterprise risk management and those responsible for IT risk management. Seemingly simple terms such as "threat," "vulnerability," and "risk" are used with different meanings by these various stakeholders. A commonly accepted taxonomy of terms and definitions is essential to enable all of the interested parties -- including risk management practitioners, business managers and IT professionals -- to understand each other and ultimately achieve their desired risk management goals.
Risk Management Insight, a member of The Open Group's Security Forum, seeded the initiative by contributing its FAIR (Factor Analysis for Information Risk) risk management taxonomy and methodology as the foundation for further development. "We felt that The Open Group's Security Forum was a perfect organization to lead the charge in developing a standard common language, or taxonomy, for risk management and analysis," said Alex Hutton, CEO, Risk Management Insight. "With the increasingly complex security requirements, organizations cannot afford to not be on the same page when it comes to assessing these risks."
As there are many risk assessment methodologies available -- all claiming to produce better results than the others -- The Open Group Security Forum's goal is to enable an objective evaluation of how any one risk assessment methodology achieves a comprehensive risk assessment and credible results. After the initial taxonomy has been established, the Security Forum will develop an industry standard aimed at defining the essential components, methodology and characteristics, that an effective Risk Assessment Methodology must address, and globally promote these as common criteria. The scope of this next phase is likely to include mapping these common criteria to the requirements established in other relevant industry-specific standards such as BITS Shared Assessments standards and COBIT (Control Objectives for Information and related Technology).