Open Group's Security Forum devising risk-management "taxonomy"

With a goal of getting IT professionals to use standard terminology and eliminate ambiguity in expressing important risk-management concepts, the Open Group is finalizing a 50-page compendium of "risk-management and analysis taxonomy."

The Open Group Security Forum's risk taxonomy of about 100 expressions will not only address seemingly simple words such as threat, vulnerability and risk, but less common terms such as control strength.

The taxonomy study, which is expected to be publicly available around August, will be based on intellectual property contributed by Open Group member Risk Management Insight.

"There have been different ways of doing this for decades," says Jim Hietala, vice president of security at the Open Group about the process and terms used to describe and evaluate risk. "This effort attempts to define a common set of terms around risk management."

Also around August, the Open Group will also begin working on a second phase of the project, which centers on risk-assessment methodology, Hietala says. The Open Group is not a standards body and doesn't intend to come up with alternatives to industry standards such as the Control Objectives for Information and related Technology (CoBIT) framework, but will concentrate its efforts on establishing common criteria expressed as components, methodology and characteristics. That work is expected to be completed by year end.