ISM-Community was originally created and the steering committee formed in Fall of 2006. During that time, one of our key activities was to come up with a list of projects that were worthwhile, and that list became somewhat of a direction for us to move in.
One of the first priorities has been to develop a risk assessment methodology. Me being of a US Government mindset, my first question was "What's wrong with NIST SP 800-30?" Well, 800-30 is a good start, but like I've said before, there are some things such as templates, examples, and suggestions that NIST can't give you because then all the auditors take it as gospel/doctrine instead of implementation technique. We want to bridge that gap.
We traveled down the RA Methodology road over the past 6 months or so and due to a handful of factors, mostly time constraints (find me a security person worth anything at all and they're up to their eyeballs in projects) and a couple of false paths we've gone down (FAIR was a good one, but we had a philosophy/licensing issue), the project has stuttered.
What remains to be done? Well, this is my roadmap for the near- to moderate-term future:
- Finish off the remaining RA Methodology sections
- Creation of artifacts/templates/examples to support the methodology
- Field-testing to validate the methodology
At some point, the artifacts will suffer from scope-creep as they become a set of ISM . That's OK.
In true NPO form, I'm asking for volunteers who can help out. The first step is to look at the existing incarnation of the RA Methodology and make recommendations.