Template
Template of Risk Management - Risk Assesment Methods
[method name]
Product identity card
General information
This attribute holds basic information to identify the product. The information provided here contains the name of the product, the company or cross-frontier organization that provides the product and the country of origin (in case the product originated from a company or national organization).
Method or tool name :
Vendor name :
Country of origin :
Level of reference of the product
Details about the type of initiator of the product like: (a) National Standardization body, (b) International Standardization body, (c) Private sector organization / association or (d) Public / government organization
Identification
Method: primarily a set of consistent documents, stating how to conduct Risk Assessment (RA) or Risk Management (RM) and not requiring an installation of an application on a computer.
When standard: specify if issued by a national or international body . A brief description of the product is given.
The number of bullets used in these attributes varies from none to three. It specifies the degree of fulfillment of the phase by the considered product.
R.A. Method phases supported
- Risk identification :
- Risk analysis :
- Risk evaluation :
R.M. Method phases supported
- Risk assessment :
- Risk treatment :
- Risk acceptance :
- Risk communication :
Brief description of the product
Lifecycle
Date of the first edition, date and number of actual version
Date of first release :
Date and identification of the last version :
Useful links
Official web site: hyperlink to the site of the originator/provider of the product, where to download the product or order it.
Related user group web site: hyperlink to the web site of the user group (if any) for the product.
Main relevant web site: web site that offers relevant and neutral information concerning the product.
Official web site :
User group web site :
Relevant web site :
Languages
Languages available: the first occurrence gives the language that was used to develop the product. Other occurrences are languages in which the product is available within the European Union.
Availability in European languages :
Price
Free: the solution is free of charge.
Not free: the price to buy or the yearly fee (this also includes membership fees to acquire access to the product, e.g. ISO standards).
Updating fee: the yearly fee for updates.
Scope
Target organisations
Defines the most appropriate type of organisations the product aims at:
Governments, agencies: the product is developed by organizations working for a state (e.g. a national information security authority).
Large companies: the product is useful for companies with more than 250 employees.
SME: the product is useful for small and medium size companies that cannot afford dedicated Risk Management personnel or complete segregation of duties.
Commercial companies: the product is targeted to companies that have to implement it due to commercial demands from stakeholders, financial regulators, etc.
Non-profit: companies where commercial benefits are not essential like the NGO’s health sector, public services, etc.
Specific sector: the product is dedicated to a very specific sector (e.g. nuclear, transportation) and usually cannot be used in other sectors.
Specific sector :
Geographical spread
Used in EU member states: list of EU member states in which implementation is known by working group members. This includes organization as European institutions (e.g. European Commission, European Union Council, European agencies) or International organizations located in Europe (e.g. NATO, UNO, OECD, UNESCO).
Used in non-EU countries: used within potential new member states of the European Union or outside the EU (e.g. Switzerland or USA).
Used in EU member states :
Used in non-EU member states :
Level of detail
The targeted kind of users is:
Management level: generic guidelines.
Operational level: guidelines for implementation planning with a low level of detail.
Technical level: specific guidelines, concerning technical, organizational, physical and human aspects of IT Security with a high level of detail.
License and certification scheme
Recognized licensing scheme: there is a recognized scheme for consultants/firms stating their mastering of a method.
Existing certification scheme: an organization may obtain a certificate, that it has fully and correctly implemented the method on its information systems.
Recognized licensing scheme :
Existing certification scheme :
Users viewpoint
Skills needed
Three types of skills are considered:
To introduce (the skills needed to understand the dependencies among the specific details of the product, e.g. different concepts supported, phases, activities etc.)
To use (the specific qualifications needed in order to perform current work, e.g. documentation easy to understand and use),
To maintain (the specific qualifications needed to maintain the life cycle of the product, e.g. to customize, tailor or perform regular updates)
For each type, the level of skills is classified according to the following scale:
Basic level: common sense and experience.
Standard level: some days or weeks of training are sufficient.
Specialist level: thorough knowledge and experience is required.
-
To introduce :
-
To use :
-
To maintain :
Consultancy support
It is necessary to use external help (consultancy) in order to apply the product. In such cases, the product can be open to any consultant on the market or is it bound to a specific category of consultants (e.g. licensed).
Consultancy :
Regulatory compliance
There is a given compliance of the product with international regulations (e.g. Basel II, Sarbanes Oxley Act).
Compliance to IT standards
There is a compliance with a national or international standard (e.g. ISO/IEC IS 13335-1, ISO/IEC IS 15408).
Trial before purchase
Details regarding the evaluation period (if any) before purchase of the product.
Availability :
Maturity level of the Information system
The product gives a means of measurement for the maturity of the information system security (e.g. through a reasoned best practice document).
It is possible to measure the I.S.S. maturity level :
Tools supporting the method
List of tools that support the product (commercial tools as well as non-commercial ones). If relevant, the organizations/sectors that can obtain the tool for free are mentioned.
Non commercial tools
Commercial tools
Technical integration of available tools
Particular supporting tools can be integrated with other tools (e.g. CERT tools).
Tools can be integrated with other tools :
Organisation processes integration
The method provides interfaces to existing processes within the organization (e.g. project management, procurement, etc.)
Method provides interfaces to other organisational processes :
Flexible knowledge databases
It is possible to adapt a knowledge database specific to the activity domain of the company.
Method allows use of sector adapted databases :
-
Interoperable EU Risk Management ToolboxThis document presents the EU RM toolbox, a solution proposed by ENISA to address interoperability concerns related to the use of information...
-
Interoperable EU Risk Management FrameworkThis report proposes a methodology for assessing the potential interoperability of risk management (RM) frameworks and methodologies and presents...