A risk management framework provides tools necessary to make decisions for investment in people, process and technology to contain risk to an acceptable level.
Popular risk framework for IT includes NIST Risk Assessment Framework documented in NIST Special Publication 800-30, ISACA Risk IT (part of COBIT 5, Control Objectives for Information and Related Technology), ISO 27k, OCTAVE, FAIR etc.
Choosing a framework to follow is a challenge in several organizations. There are many standards and factors to evaluate, including similarities to existing practices, costs, complexity, and supporting documentation.
Key points of focus include:
Mr. Blanding is currently an independent IT management consultant. He has over 35 years of experience in executive I/T leadership, IT governance, risk and compliance (GRC), systems auditing, quality assurance, information security, and business resumption planning for large corporations in the Big-4 professional services, financial services, manufacturing, retail electronics, and defense contract industries. He has extensive experience with industry best practices for adopting and implementing new technologies, IT service management frameworks, and GRC solutions that have dramatically improved customer satisfaction while reducing cost. Mr. Blanding earned a B.S. in Accounting from Virginia Tech and an M.S. in Business Information Systems from Virginia Commonwealth University. He served as Editor for Auerbach’s Handbook of Enterprise Operations Management (EOM) in August 2000 and served as Consulting Editor of Auerbach’s EOM portfolio series from 1998 through 2001.
Mr. Sathyanarayana is the Senior Product Manager for IT-GRC at MetricStream. He has several years of experience spanning various aspects of information technology management and has previously worked with organizations such as Siemens Communication Software, Hewlett-Packard, Covansys Corporation, and Kirusa, Inc. in technical and business capacities.
Please fill mandatory fields