The Open Group, a vendor- and technology-neutral consortium focused on open standards and global interoperability within and between enterprises, has announced that the organization’s Security Forum has completed the second phase of a major initiative focused on risk management.

The Security Forum’s comprehensive project is aimed at eliminating widespread industry confusion about risk management among risk managers, security and IT professionals, and business managers. The Open Group Security Forum is also maintaining an active pipeline of projects to address the increasing risk and compliance concerns facing IT departments across organizations today. (A related Compliance Week article, "Explaining IT Risks to Senior Management," can be found here).

Amidst increased product offerings coupled with escalating threats and regulations, risk management and compliance remain difficult to manage. Thus, the Security Forum’s goal for this phase of the risk-management project is to provide companies guidelines on how to objectively evaluate whether risk assessment methodologies achieve comprehensive risk assessment and credible results. Phase two is now available as a technical guide entitled “Requirements for Risk Assessment Methodologies,” which describes key risk assessment traits, advises on quantitative versus qualitative measurements, and addresses the need for senior management involvement.

In addition to dealing with increased security threats, companies are also struggling with the cost and complexity of meeting regulatory compliance mandates. The Security Forum is also working on two standards to ease both compliance and audit reporting. The new compliance standard, ACEML, will provide an XML-based compliance knowledge-base from which cost-effective compliance programs can be created. The ACEML is intended to allow security and risk practitioners to reconcile differences between disparate policies when applied to a single system.

The Security Forum is also updating its existing audit and logging standard, XDAS, in order to help ease the difficulty and cost of log management. This standard aims to make audit records more descriptive and useful and to make it easier to consume and understand log information. Both the XDAS and ACEML standards will enable vendors to build products conforming to open standards in these areas.

“The Security Forum is taking an active role in producing risk and compliance standards that will help our customer organizations and others relieve the pain points involved in managing ever-increasing security risks and negotiating complex regulatory requirements,” said Jim Hietala, vice president of Security at The Open Group.

The risk-management technical guide is freely available for download online: http://www.opengroup.org/bookstore/catalog/. The third phase of the risk project, expected to be available in Q3, will produce “cookbooks” showing how to use the standard with various risk frameworks, starting with ISO27005 and including COSO, Octave, and NIST 800-53.