The CERT/CC has developed a security model, OCTAVE, based, in part, on best practices from ISO 15048 and RFC 2196.
OCTAVE uses a three-part approach to help guide an organization through the process of identifying and addressing security issues:
Build asset-based threat profiles.
Identify infrastructure vulnerabilities.
Develop security strategy and plans.
OCTAVE has been designed from the ground-up to be managed internally. CERT found that many organizations outsource their security assessments to third-party vendors. The problem with this method is that third-party vendors cannot adequately assess the security risks for a company. Every organization has different security needs, depending on what are viewed as core assets. ...