The Open Group Security Forum Initiates Development of Risk Management and Analysis Taxonomy

SAN FRANCISCO , June 17 /PRNewswire/ -- The Open Group, a vendor -- and technology-neutral consortium focused on open standards and global interoperability within and between enterprises, today announced that the organization's Security Forum has initiated work on a risk management and analysis taxonomy standard. This is the first phase of a comprehensive initiative aimed at eliminating widespread industry confusion about risk management among risk managers, security and IT professionals as well as business managers. Risk management vendors and their customers interested in getting involved can learn more here:

The Security Forum's focus on a risk management and analysis taxonomy is in direct response to the idea that risk analysis has historically been more art than science. Prior risk taxonomies used terms which were ill-defined, resulting in many inconsistent definitions and taxonomies within the information security landscape. None of these provided a clear and logical representation of the fundamental problem that the risk management profession must control: the frequency and magnitude of loss.

"The Open Group Security Forum has chosen to start this standards work from its core -- understanding what 'risk' truly is," said Mike Jerbic , chairman, The Open Group Security Forum. "We believe that no significant progress can be made until we have a rigorous taxonomy for the terms and definitions we use in risk management.

The Open Group Security Forum's risk taxonomy will promote a consistent, tightly defined use of risk management terminology, in order to ensure a common understanding between different analysts and analysis methods. Misunderstandings of language and meaning often exist between senior management, personnel responsible for enterprise risk management and those responsible for IT risk management. Seemingly simple terms such as "threat," "vulnerability," and "risk" are used with different meanings by these various stakeholders. A commonly accepted taxonomy of terms and definitions is essential to enable all of the interested parties -- including risk management practitioners, business managers and IT professionals -- to understand each other and ultimately achieve their desired risk management goals.

Risk Management Insight, a member of The Open Group's Security Forum, seeded the initiative by contributing its FAIR (Factor Analysis for Information Risk) risk management taxonomy and methodology as the foundation for further development. "We felt that The Open Group's Security Forum was a perfect organization to lead the charge in developing a standard common language, or taxonomy, for risk management and analysis," said Alex Hutton , CEO, Risk Management Insight. "With the increasingly complex security requirements, organizations cannot afford to not be on the same page when it comes to assessing these risks."

"Risk management is an area where standards work is sorely needed; we see on a daily basis the perils associated with not having all parties 'speak' the same language," said Jim Hietala , vice president of Security, The Open Group. "We look forward to ongoing collaboration among our current Security Forum Members and encourage participation by other industry experts to develop a standard taxonomy."

As there are many risk assessment methodologies available - all claiming to produce better results than the others -- The Open Group Security Forum's goal is to enable an objective evaluation of how any one risk assessment methodology achieves a comprehensive risk assessment and credible results. After the initial taxonomy has been established, the Security Forum will develop an industry standard aimed at defining the essential components, methodology and characteristics, that an effective Risk Assessment Methodology must address, and globally promote these as common criteria. The scope of this next phase is likely to include mapping these common criteria to the requirements established in other relevant industry-specific standards such as BITS Shared Assessments standards and COBIT (Control Objectives for Information and related Technology).

About The Security Forum

The Security Forum works to raise industry confidence levels by defining technical standards and guidelines to counter the whole range of security risks and vulnerabilities, and also addresses business and technology perspectives. Covering all aspects of information security in open systems environments, including risk management, governance (including audit and compliance), confidentiality, integrity, accountability, non-repudiation, copy-protection, availability, privacy, policy, best practice and frameworks for legal and regulatory issues at global as well as national levels. Further information on The Security Forum can be found at

About The Open Group

The Open Group is a vendor-neutral and technology-neutral consortium, which drives the creation of Boundaryless Information Flow(TM) that will enable access to integrated information within and between enterprises based on open standards and global interoperability. The Open Group works with customers, suppliers, consortia and other standard bodies. Its role is to capture, understand and address current and emerging requirements, establish policies and share best practices; to facilitate interoperability, develop consensus, and evolve and integrate specifications and open source technologies; to offer a comprehensive set of services to enhance the operational efficiency of consortia; and to operate the industry's premier certification service. Further information on The Open Group can be found at

Note to Editors: Boundaryless Information Flow is trademark of The Open Group. All other company, brand and product names may be trademarks or registered trademarks of their respective holders.

SOURCE The Open Group