ARTS

ARTS is an acronym summarizing the author's views on the most essential dimensions of IT security. In detail, the acronym derives from:

• Assets
• Risks
• Tools
• Strategies

One way to visualize the ARTS system is to think of each letter as one cardinal point of a compass. A complete view of the situation requires analysis in all four of these directions. Also (through sheer coincidence) the arrangement of the letters in a list suggests a top-down + bottom-up process for security design and implementation. In order, this would go something like this:

Planning

• A: Determine asset values and priorities.
• R: Evaluate risks (including threats, vulnerabilties, likelihoods, and consequences).
• T: Review available tools and other controls.
• S: Devise a strategy to deploy the best tools against the most dangerous risks.

Implementation

• S: Develop an architecture based on the strategy.
• T: Deploy tools according to the architectural design.
• R: Reassess risks on an ongoing basis.
• A: Monitor the status of each asset.

The ARTS methodology defined above is somewhat analogous to the OCTAVE-S framework, a small organization version of Carnegie Mellon's more extensive (and trademarked) Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) risk assessment approach. [1]

References:

[1] http://www.isaca.org/Journal/Past-Issues/2009/Volume-4/Pages/The-OCTAVE-Approach-to-Information-Security-Risk-Assessment1.aspx