1 NIST 800-30 and related -- Risk Management Guide for Information Systems
1.1.1.1 System characterization
1.1.1.1.1 System boundary
1.1.1.1.2 System functions
1.1.1.1.3 System and data criticality
1.1.1.1.4 System and data sensitivity
1.1.1.2 Threat identification
1.1.1.2.1.1 Hostile cyber/physical attacks
1.1.1.2.1.3 Natural and man-made disasters
1.1.1.2.2.1 Tactics, techniques and procedures employed
1.1.1.2.2.2 Countermeasures (controls)
1.1.1.2.2.3 Threat level -- capabilities, intentions and targeting
1.1.1.2.3 Identify threat events for further study
1.1.1.2.4 Identify sources of threat information -- e.g. Information Sharing and Analysis Centers (ISACs)
1.1.1.2.5 Threat statement
1.1.1.3 Vulnerability identification
1.1.1.3.1 List of potential vulnerabilities
1.1.1.3.1.1 Hardware, software, firmware
1.1.1.3.1.2 Mission/business processes and architectures
1.1.1.3.1.3 Organizational governance structures or processes
1.1.1.3.1.4 Adverse impact/harm from external sources (eg destruction of non-owned infrastructure)
1.1.1.3.1.5 Dependencies on external organizations
1.1.1.3.2 Identify vulnerabilities (tied to threats) for further study
1.1.1.3.3 Identify sources of vulnerability information
1.1.1.3.3.1 Catalog of vulnerabilities -- Common Vulnerability Enumeration [CVE] identifiers
1.1.1.4.1 List of current and planned controls
1.1.1.5.1 Impact on operations
1.1.1.5.2 Impact on assets
1.1.1.5.3 Impact on individuals
1.1.1.5.4 Impact on other organizations
1.1.1.5.5 Impact at the national and international level
1.1.1.5.6 Loss of integrity
1.1.1.5.7 Loss of availability
1.1.1.5.8 Loss of confidentiality
1.1.1.6 Likelihood determination
1.1.1.6.1 Likelihood rating
1.1.1.7 Risk determination
1.1.1.7.1 Risks and associated risk levels
1.1.1.8 Control recommendations
1.1.1.8.1 Recommended controls
1.1.2.1.5 Research the risk further
1.1.2.1.6 Transfer the risk
1.1.2.2 Implement controls
1.1.2.2.1 Prioritize actions
1.1.2.2.2 Evaluate recommended control options
1.1.2.2.3 Conduct cost-benefit analysis
1.1.2.2.4 Select controls
1.1.2.2.5 Assign responsibility
1.1.2.2.6 Develop action plan
1.1.2.2.7 Implement controls
1.2.1 NIST Special Publications (800 Series): http://csrc.nist.gov/publications/PubsSPs.html
1.2.2 The Secure DNS Deployment Guide might also be of interest: http://csrc.nist.gov/publications/nistpubs/800-81r1/sp-800-81r1.pdf
1.2.3 Managing Information Security Risk: http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
1.2.4 Guide for Conducting Risk Assessments Rev 1 (Sept 2011 version): http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-30-Rev.%201
1.2.5 SP 800-30 (2002): http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
1.2.6 http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
2 ISO 31000 -- International Risk Management
2.1 https://en.wikipedia.org/wiki/ISO_31000
2.2 AS/NZ ISO 31000L2009 - Risk management and guidelines
2.2.1 http://infostore.saiglobal.com/store/Details.aspx?productID=1378670
2.2.2 http://www.significanceinternational.com/Resources/OfficialStandards#Risk%20analysis%20and%20management
3 OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
3.1.1 Build asset-based threat profiles
3.1.1.1 Identify senior management knowledge
3.1.1.1.1 Assets and priorities
3.1.1.1.1.2 Select more important assets
3.1.1.1.1.3 Discuss rationale for selection
3.1.1.1.2 Areas of concern
3.1.1.1.2.1 ID scenarios that threaten most-important assets (based on sources and outcomes of threats)
3.1.1.1.2.2 Discuss potential impacts to the organization for the scenarios
3.1.1.1.3 Security requirements for the most important assets
3.1.1.1.3.1 ID security requirements for most-important assets
3.1.1.1.3.2 Select most important security requirement for each important asset
3.1.1.1.4 Current protection strategy practices and organizational vulnerabilities
3.1.1.1.4.1 Indicate which practices are currently followed (and not followed)
3.1.1.1.4.2 Discuss issues that arise from survey results
3.1.1.1.5 Operational areas to evaluate
3.1.1.1.5.1 Review list of operational areas (and managers)
3.1.1.1.5.2 Determine if any changes are required
3.1.1.1.6 Summarize results
3.1.1.1.6.1 Create summary
3.1.1.1.6.2 Review w/senior managers
3.1.1.1.6.3 Discuss the remainder of the process
3.1.1.2 Identify operational area management knowledge
3.1.1.2.1 same steps as "senior management"
3.1.1.3 Identify staff knowledge
3.1.1.3.1 same steps as "senior management"
3.1.1.4 Create threat profiles
3.1.1.4.1 Consolidate preliminary data
3.1.1.4.1.1 Group assets by organizational level
3.1.1.4.1.2 Group security requirements by organizational level
3.1.1.4.1.3 Group areas of concern, and impacts, by organizational level and asset
3.1.1.4.2 Select critical assets
3.1.1.4.2.1 Determine which assets will have a large adverse impact on the organization if their security requirements are violated -- those are the critical assets -- normally select 5 assets
3.1.1.4.3 Define security requirements for critical assets
3.1.1.4.3.1 Create or refine security requirements for the organization's critical assets
3.1.1.4.3.2 Identify the most important security requirement for each critical asset
3.1.1.4.4 Determine threats to critical assets
3.1.1.4.4.1 Identify threats to each critical asset
3.1.1.4.4.2 Map areas of concern for each critical asset to the threat profile for that asset
3.1.1.4.4.3 Perform a gap analysis to determine additional threats to the critical asset
3.1.1.4.4.4 Develop threat profiles
3.1.1.4.4.4.1 OCTAVE - Risk profile (PIDS).pdf
3.1.1.4.5 Summarize results
3.1.2 Identify infrastructure vulnerabilities
3.1.2.1 Identify key components
3.1.2.1.1 Identify key classes of components
3.1.2.1.1.1 Establish the system(s) of interest for each critical asset
3.1.2.1.1.2 Identify the classes of components that are related to the system(s) of interest
3.1.2.1.2 Identify infrastructure components to examine
3.1.2.1.2.1 Select specific components to evaluate (systems of interest are automatically selected)
3.1.2.1.2.2 Select one or more infrastructure component from each class to evaluate
3.1.2.1.2.3 Select an approach and specific tools for evaluating vulnerabilities
3.1.2.1.3 Summarize results
3.1.2.2 Evaluate selected components
3.1.2.2.1 Run vulnerability evaluation tools on selected infrastructure components
3.1.2.2.1.1 Staff or experts conduct vulnerability evaluation
3.1.2.2.1.2 Run vulnerability evaluation tools
3.1.2.2.1.3 Create vulnerability summaries for each critical asset
3.1.2.2.2 Review technology vulnerabilities
3.1.2.2.2.1 Present vulnerability summaries to the rest of the team
3.1.2.2.2.2 Review and refine vulnerability summaries as required
3.1.2.2.3 Summarize results
3.1.3 Develop security strategy and plans
3.1.3.1 Conduct risk analysis
3.1.3.1.1 Identify the impact of threats to critical assets
3.1.3.1.1.1 Define impact descriptions for threat outcomes (disclosure, modification, loss, destruction, interruption)
3.1.3.1.1.2 OCTAVE - Risk impact descriptions_values.pdf
3.1.3.1.2 Create risk evaluation criteria
3.1.3.1.2.1 Create criteria that will be used to evaluate risks
3.1.3.1.2.2 Define what constitutes a high, medium and low risk
3.1.3.1.2.3 Example - matrix of impact criteria
3.1.3.1.2.3.1 OCTAVE risk-impact criteria.pdf
3.1.3.1.3 Evaluate the impact of threats to critical assets
3.1.3.1.3.1 Review each risk (threat + impact) and assign an impact measure (high medium low)
3.1.3.1.3.2 OCTAVE - Risk profile (PIDS).pdf
3.1.3.1.4 Summarize results
3.1.3.2 Develop protection strategy
3.1.3.2.1 Review vulnerabilities, protection strategy practices, organizational vulnerabilities, security requirements, and risk information
3.1.3.2.2 Create protection strategy
3.1.3.2.2.1 OCTAVE - Protection strategy.pdf
3.1.3.2.3 Create mitigation plans
3.1.3.2.3.1 OCTAVE - Mitigation plans.pdf
3.1.3.2.4 Create action list
3.2.1.1 https://www.cert.org/octave/
3.2.2.1 https://www.cert.org/octave/download/index2.html
4 Hazard Analysis -- Critical Control Point (HACCP)
4.1 http://www.haccp-nrm.org/
5.1 https://secure.wikimedia.org/wikipedia/en/wiki/Risk_Matrix
6 Enterprise Risk Management
6.1 https://en.wikipedia.org/wiki/Enterprise_risk_management#COSO_ERM_framework
7 HITRUST Common Security Framework
7.1 http://www.hitrustalliance.net/
8.1 http://rm-inv.enisa.europa.eu/comparison.html
8.2.1 BSI - IT-Grundschutz
8.2.1.1.1 https://www.bsi.bund.de/ContentBSI/EN/Publications/BSI_standards/standards.html
8.2.1.2.1 Summarize threats
8.2.2.1 Written in French
8.2.2.3.1 http://www.ssi.gouv.fr/en/the-anssi/publications-109/methods-to-achieve-iss/ebios-2010-expression-of-needs-and-identification-of-security-objectives.html
8.2.4 Austrian IT Security Handbook
8.2.4.1 ISO 17799 (partly)
8.2.4.2 Written in German
8.3 Payment/membership required
8.3.2 ISO/IEC 13335-2 (27005)
8.5.1 Analysis of this tool isn't complete
9 ISO 27000 series - Information technology -- Security techniques
9.1 https://en.wikipedia.org/wiki/ISO/IEC_27000