Project 3: Business Continuity Start Here In the process of enterprise risk management, a primary element is the business continuity plan (BCP), which consists of steps to continue operations should a
Learning Topic
Security and Audit Methodologies
One mistake made by cybersecurity practitioners is to believe that when a critical infrastructure sets countermeasures against hacking, the system is forever protected. Cybersecurity practitioners need to be on continuous alert, and security and audit methodologies provide peace of mind. Auditing allows the opportunity to assess security risks and mitigate potential vulnerabilities.
In addition, security and auditing methodologies are good business practices. For example, customers assume that their information is protected when they open an account or apply for a loan.
Security and auditing are important for an organization to ensure that controls and countermeasures are implemented correctly or appropriately, and to ensure that the controls and countermeasures are performing to their potential.
There are several common security and audit methodologies about which a cybersecurity professional must be knowledgeable.
The CCTA Risk Analysis and Management Method (CRAMM) is a risk analysis method developed by the United Kingdom government organization CCTA (Central Communication and Telecommunication Agency), now called the Office of Government Commerce (OGC).
Another important risk assessment approach is Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE). OCTAVE defines a risk-based strategic assessment and planning technique for security.
Other important security and audit methodologies are value at risk (VAR) and Facilitated Risk Analysis Process (FRAP). While VAR is a methodology based on the notion that in order to assess the potential damage of an attack, cybersecurity practitioners should understand the worst loss due to a security breach, FRAP assumes that a narrow risk assessment is the best way to assess risk.
