CISSP - AS/NZS 4360

Jeff

AS/NZS 4360, a risk management framework, was covered under the threat modeling episode. Is there a link with threat modeling and this risk management framework that I'm missing?

Adam Gordon

Jeff,

I hope all is well. Great question; let me see if I can clarify for you:

The Australian/New Zealand Standard AS/NZS 4360, first issued in 1999, and revised in 2004, is the world’s first formal standard for documenting and managing risk and is still one of the few formal standards for managing it, hence why it is so well known by people in areas where risk management activities are part of what they do.

The AS/NZS 4360 is also classified as a possible Threat Model option or choice, as is the CVSS, also mentioned in the episode right after the AS/NZS 4360 discussion. Neither are "well Known" as threat models, but rather as Risk Management Frameworks, and/or as Vulnerability Tracking and Identification systems, in the case of the CVSS.

While not commonly thought of when one mentions Threat Models, they do have a place at the table as "hybrid" solutions that have feet squarely in both the Risk Management and Threat Modeling camps.

My point in touching on them in the episode is to ensure that 1. you are aware of them, in case you are not, and 2. to ensure that if you were to see them in a question on an exam, you would have some familiarity with them.

NOTE: The likelihood of you seeing them on the exam is slim, as the exam does not tend to reference country or vendor specific solution, items, or legislation.

Take a look at this document, specifically pages 28 - 30 for more information if interested:

https://www.owasp.org/images/a/a6/AdvancedThreatModeling.pdf

Hope that helps to clarify for you?

Please feel free to follow up with me directly if you have additional questions as you are working through episodes and/or studying. My direct e-mail is: adam@itpro.tv

Good Luck !!

Cheers,

Adam

Jeff

@Adam-Gordon Thanks! You mentioned the exact reason I was asking. If AS/NZS 4360 is listed as a threat model choice, I should also consider it a threat model option.

Adam Gordon

Jeff,

If you did see it as an option for a Threat Model, I would select it.