Comparison of the NIST Risk Management and IAM Methodologies
Rene Rivera
University of Houston
Similarities
- Both methodologies define the physical system security
- Use similar information gathering techniques
- Both determine likelihood of threat occuring
- Suggest similar technical and preventative controls
- Suggest use of similar testing tools
- Purpose is to improve system security profile
[any material that should appear in print but not on the slide]
NIST Differences
- Uses SDLC - can be used on systems from planning to existing stages
- System Mission is used for assessment activities
- Identifies threats
- Assessment does not detail on-site activities
- Impact analysis includes entire system
[any material that should appear in print but not on the slide]
IAM Differences
- Organization's Mission Statement is foundation of assessment
- Defines and assesses information criticality
- Determines risk on system and information in greater detail
- Details customer involvement and interaction in detail
- Creates a technical assessment plan
- Maintains positive environment
- Offers customer choices
[any material that should appear in print but not on the slide]