Open Group Risk Management “taxonomy”
I was reading this:
“With a goal of getting IT professionals to use standard terminology and eliminate ambiguity in expressing important risk-management concepts, the Open Group is finalizing a 50-page compendium of “risk-management and analysis taxonomy.”
The Open Group Security Forum’s risk taxonomy of about 100 expressions will not only address seemingly simple words such as threat, vulnerability and risk, but less common terms such as control strength.”
I was thinking, why these guys are doing it when there are stuff like ISO Guide 73, ISO27005 and ISO27000 published or in their way to be published?
Because they aren’t linked in a logical way that reflects cause and effect relationships for the various factors of a taxonomy, or our incomplete in their considerations of what creates “risk”.
That is to say, there’s a difference between building a standard based on a model of how the world works and building a standard by committee based on a collection of (sometimes conflicting) disparate definitions.
June 25, 2008 @ 9:16 am