Risk Redux is a project trying to turn useful frameworks for thinking about cybersecurity into simple, open-source code. So, let's manage risk!
Information categorization is prerequisite to just about everything related to risk management, but NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories is not ideal for searching through various data types. We created
typist to support some simple searching capabilities (poorly) and provide a simpler organization of all the interconnected information.
Modeling risks and documenting problems within system boundaries is a critical aspect of continuous monitoring, because you have to be able to communicate about what’s wrong before you can fix anything. NIST SP 800-30, Guide for Conducting Risk Assessments provides an approach to this conundrum and
risquè provides an easy to use tool for leveraging those ideas into actual shareable content.
performatron, we focus on NIST SP 800-181, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. NICE is essentially a framework for thinking about how we talk about cybersecurity work and the various types of roles responsible for doing it.
performatron, in turn, seeks to be a career planning/development tool, and will be loosely based on the mechanics of a role-playing game (i.e., with quest mapping, experience point scoring, leveling up, etc.). For now, it’s just a bit of a handy reference.
NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations is maybe the most often cited document in Federal cybersecurity. The publication provides a wealth of information about facets of cybersecurity through the lens of controls a system owner can implement to actually secure their systems!
control_freak takes all of that content and makes it easy to search, navigate, access programmatically, and link to!
We've got a few ideas in the works at Risk Redux, and we're planning on publishing all of them! Stay tuned!