There are many approaches to managing risk and subsequently many different RMFs. In fact, ENISA126 enumerated no less than 29 such RMFs with potential interoperability— including the HITRUST RMF —in support of an initiative to develop an interoperable EU RMF.127 Selection was based on the following criteria:
- “Risk management frameworks and methodologies used as best practice in the industry [emphasis added], regardless of their scope, type and size of organisation, target audience, etc.;
- “Risk management frameworks and methodologies proposed as standards and guidelines by international and national standardisation bodies;
- “Risk management methodologies and methods proposed by academia.”128
Criteria for exclusion of an RMF was explained as follows.
We excluded risk management frameworks and methodologies that were obsolete (i.e., those that had not been supported for more than ten years) and that did not support the fundamental risk management processes (i.e., those that provide guidance only for risk treatment, etc.). Further, we excluded risk management frameworks and methodologies that were proposed in academic sources but did not provide specific guidance for their implementation. Thus, the survey aimed to identify the state-of-the-art risk management frameworks and methodologies [emphasis added], rather than to provide an exhaustive list of all risk management frameworks and methodologies.129
In addition to those provided by ISO, NIST, and HITRUST, notable RMFs included in the list of “prominent risk management frameworks and methodologies that are currently in use”130 include but aren’t limited to those provided by Germany’s BSI,131 Carnegie Mellon University132 in the U.S., the European Telecommunications Standards Institute (ETSI),133 Luxembourg’s Cyberworld Awareness and Security Enhancement Services (CASES),134 the French Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI),135 the Spanish El Ministerio de Asuntos Económicos y Transformación Digital,136 the European Commission Directorate-General for Communication Security,137 and The Open Group,138 among others.
ENISA’s analysis of these frameworks resulted in the identification of eight features “that enable (or limit) the potential for interoperability of [RMFs] and methodologies.”139
- Support for other risk management standards, frameworks, and methodologies
- Breadth of the risk management components addressed
- Whether the approach addresses assets, scenarios, or both
- Use of quantitative, semi- or quasi-quantitative, or quantitative methods of evaluating risk
- Types of catalogs or libraries used to support the approach
- Method of risk calculation
- Languages supported by the method (with an English version being of advantage)
- Cost of licensing
ENISA’s final report on interoperability140 includes an evaluation of 16 of the 29 standards, frameworks, and methods based on a more detailed assessment and scoring model.141 As the HITRUST RMF was not included, we provide an evaluation of the HITRUST RMF consistent with the 16 ENISA provided—first without the implementation of QQRRA and then with its implementation—in the table below.
Table 5. Potential Interoperability of the HITRUST RMF
| Standards, Frameworks, and Methodologies | Generic Aspects | FUNCTIONAL | NON-FUNCTIONAL | |||||||
| Risk Identification | Risk Assessment | Risk Treatment | ||||||||
| Asset-based (AB) / Scenario-based (SB) | Quantitative (QT) / Qualitative (QL) Approach | Asset Taxonomy (30%) | Asset Valuation (50%) | Threat Catalogues (10%) | Vulnerability Catalogues (10%) | Risk Calculation Method | Measure Catalogue & Calculation of Residual Risk | Supported Languages | Supports Other Related Frameworks | |
| HITRUST RMF (Pre QQRRA) | AB | QL | No specific categories of assets provided. As a framework, accommodates any asset taxonomy. Interoperability Level: 3 |
No specific categories of assets provided. As a framework accommodates any asset taxonomy. Interoperability Level: 3 |
The HITRUST Threat Catalogue is specific to the threats/controls in the RMF; however, other sources may be mapped and used for analysis. Interoperability Level 3 |
No vulnerability catalogue provided. As a framework, it can accommodate any set of vulnerabilities or vulnerability catalogues. Interoperability Level 3 | The HITRUST RMF provides a specific approach to calculating risk using control maturity and impact codes for each control relevant to an asset or set of assets. Interoperability Level 1 |
HITRUST CSF controls are fully tailorable based on inherent risk to the organization, and the resulting control specification can be fully integrated into any type of risk analysis. Interoperability Level 3 |
EN | ISO 27001/2, NIST SP 800-53 |
| HITRUST RMF (Post QQRRA) | AB/SB (QQRRA / Risk Catalogue) |
QT (QQRRA / Risk Catalogue) |
The HITRUST Risk Catalogue will provide a generic list of information asset classes; however, any taxonomy for assets may be used for QQRRA. Interoperability Level 3 |
QQRRA provides decision support tools that are modifiable and can be used for any approach to asset valuation. Interoperability Level: 3 |
The HITRUST Risk Catalogue is specific to the threats/controls in the RMF; however, other sources may be mapped and used for analysis. Interoperability Level 3 |
The HITRUST Risk Catalogue will provide a generic list of vulnerability types for various classes of information assets; however, any source for asset/ vulnerabilities may be used for QQRRA. Interoperability Level 3 |
QQRRA provides a patent-pending approach to computing residual risk based on likelihood using control effectiveness and impact expressed in monetary terms, related threats, and threat actor motivation and capability. Results are easily mapped to the results of other frameworks. Interoperability Level 3 |
HITRUST CSF controls are fully tailorable based on inherent risk to the organization, and the resulting control specification can be fully integrated into QQRRA or any other type of risk analysis. Interoperability Level 3 |
EN | ISO 27001/2, NIST SP 800-53 |
The following table provides a summary of the potential interoperability of these 16 standards, frameworks, and methods142 along with the HITRUST RMF along with scores for the HITRUST RMF.
Table 6. Potential Interoperability of Various Prominent Risk Management Standards, Frameworks, & Methodologies
| Overall Evaluation of Standards, Frameworks, and Methodologies / Interoperability Feature | Risk Identification | Risk Assessment | Risk Treatment | Overall Potential Interoperability | |||
| Asset Taxonomy | Asset Valuation | Threat Catologues | Vulnerability Catalogues | Risk Calculation Method | Measure Catalogue & Calculation of Residual Risk | ||
| HITRUST RMF (QQRRA) | Potential Interoperability: 3 | Potential Interoperability: 3 | Potential Interoperability: 3 | 3.00 | |||
| NIST SP 800-37143 | Potential Interoperability: 3 | Potential Interoperability: 3 | Potential Interoperability: 3 | 3.00 | |||
| OCTAVE ALLEGRO142 | Potential Interoperability: 3 | Potential Interoperability: 3 | Potential Interoperability: 3 | 3.00 | |||
| OCTAVE-S145 | Potential Interoperability: 3 | Potential Interoperability: 3 | Potential Interoperability: 3 | 3.00 | |||
| ISO/IEC 27005:2018146 | Potential Interoperability: 2.7 | Potential Interoperability: 3 | Potential Interoperability: 3 | 2.90 | |||
| MONARC147 | Potential Interoperability: 2.7 | Potential Interoperability: 3 | Potential Interoperability: 3 | 2.90 | |||
| OCTAVE FORTE148 | Potential Interoperability: 2.7 | Potential Interoperability: 3 | Potential Interoperability: 3 | 2.90 | |||
| THE OPEN GROUP STD RISK ANALYSIS V2.0149 | Potential Interoperability: 2.1 | Potential Interoperability: 3 | Potential Interoperability: 3 | 2.70 | |||
| BSI STANDARD 200-2150 | Potential Interoperability: 2 | Potential Interoperability: 3 | Potential Interoperability: 3 | 2.67 | |||
| GUIDELINES ON CYBER SECURITY ONBOARD SHIPS151 | Potential Interoperability: 3 | Potential Interoperability: 2 | Potential Interoperability: 3 | 2.67 | |||
| NIST SP 800-39152 | Potential Interoperability: 2 | Potential Interoperability: 3 | Potential Interoperability: 3 | 2.67 | |||
| EBIOS RM153 | Potential Interoperability: 2.9 | Potential Interoperability: 2 | Potential Interoperability: 3 | 2.63 | |||
| ETSI TS 102-165-1154 | Potential Interoperability: 2.7 | Potential Interoperability: 2 | Potential Interoperability: 3 | 2.57 | |||
| MAGERIT v3155 | Potential Interoperability: 2.4 | Potential Interoperability: 2 | Potential Interoperability: 3 | 2.47 | |||
| HITRUST RMF (Pre-QQRRA) | Potential Interoperability: 3 | Potential Interoperability: 1 | Potential Interoperability: 3 | 2.34 | |||
| ITSRM156 | Potential Interoperability: 1.9 | Potential Interoperability: 2 | Potential Interoperability: 3 | 2.30 | |||
| NIST SP 800-30157 | Potential Interoperability: 1.6 | Potential Interoperability: 2 | Potential Interoperability: 3 | 2.20 | |||
| MEHARI158 | Potential Interoperability: 2 | Potential Interoperability: 1 | Potential Interoperability: 3 | 2.00 | |||
Current interoperability scores are consistent with the many and varied ways in which HITRUST has seen public and private sector organizations use the HITRUST RMF, which can run the gamut from simply using the HITRUST CSF as a compendium of best practices to adopting and integrating the HITRUST CSF, HITRUST Assurance Program, and supporting components into their organization-wide information protection and risk management programs. Integration of QQRRA into the HITRUST Approach vis-à-vis relevant products, services, and tools will further enhance this level of interoperability and provide improved support for integration into organizational information protection and risk management programs, regardless of any other standards, frameworks, or methodologies these organizations may also leverage.
126 ENISA (2022). About ENISA – The European Union Agency for Cybersecurity.
127 ENISA (2022a, Jan). Compendium of Risk Management Frameworks with Potential Interoperability: Supplement to the Interoperable EU Risk Management Framework Report. Attiki, GR: Author.
128 Ibid., pp. 6-7.
129 Ibid, p. 7.
130 Ibid., p. 8.
131 BSI (2022). BSI-Standards.
132 Carnegie Mellon University Software Engineering Institute (2022). SEI: Publications: Digital Library: Search Results: OCTAVE.
133 European Telecommunications Standards Institute, ETSI (2022). Standards: Search: Cybersecurity.
134 MONARC (2022). What is MONARC?
135 Agence Nationale de la Securite des Systems d’Information, ANSSI (2022). EBIOS Risk Manager – The Method.
136 Portal Administración Electrónica (2022). The Portal E-government: Cover Page of Documentation: Cover of Methodologies and Guidelines: Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información.
137 European Commission (2022). Home: Departments and Executive Agencies: Informatics.
138 The Open Group (2022). Risk Analysis.
139 ENISA (2022a), p. 31.
140 ENISA (2022b, Jan). Interoperable EU Risk Management Framework: Methodology for and assessment of interoperability among risk management frameworks and methodologies. Attiki, GR: Author.
141 Ibid., pp. 6-12.
142 Ibid., pp. 24-25
143 JTF (2018, Dec).
144 Caralli, R., Stevens, J., Young, L., and Wilson, W. (2007, May). Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process (CMU/SEI-2007-TR-012). Pittsburgh: Carnegie Mellon University.
145 Alberts, C., Dorofee, A., Stevens, J., and Woody, C. (2005, Jan). OCTAVE®-S Implementation Guide, Version 1.0 (CMU/SEI-2003-HB-003). Pittsburgh: Carnegie Mellon University.
146 ISO/IEC (2018). Information Technology – Security Techniques – Information Security Risk Management (ISO/IEC 27005:2018). Geneva: Author.
147 CASES (2016, Apr). MONARC Version 1.0. Luxembourg: Author.
148 Tucker, B. (2020, Nov). Advancing Risk Management Capability Using the OCTAVE FORTE Process (CMU/SEI-2020-TN-002). Pittsburgh: Carnegie Mellon University.
149 The Open Group (2021, Nov). Risk Analysis (O-RA), Version 2.0.1. Berkshire, UK: Author.
150 BSI (2017, Oct). IT-Grundschutz Methodology (BSI-Standard 200-2). Bonn: Author.
151 Baltic and International Maritime Council, BIMCO (2020). The Guidelines on Cybersecurity Onboard Ship, Version 4.0.
152 JTF TI (2011, Mar).
153 ANNSI (2022).
154 ETSI (2017, Oct). CYBER; Methods and protocols; Part 1: Method and pro forma for Threat, Vulnerability, Risk Analysis (TVRA) (ETSI TS 102 165-1 V5.2.3). Sophia Antipolis Cedex, FR: Author.
155 Portal Administración Electrónica (2022).
156 European Commission (2020, 8 Nov). IT Security Risk Management Methodology v1.2: Description of the Methodology (v1.2 r19).
157 JTF TI (2012, Sep).
158 Club de la Sécurité de l’Information Français, CLUSIF (2022). Reception: Services: Risk Management: The Fundamentals of MÉHARI (Google Translation).