Re: Risk Assessment/Management
From: Simon Borduas (sborduas_at_hypertec.ca)
Date: 10/31/05
- Previous message: Fred Cohen: "Re: secure backups"
- In reply to: Mark Brunner: "Risk Assessment/Management"
- Next in thread: Brian McCaleb: "RE: Risk Assessment/Management"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <mark_brunner@hotmail.com>, <security-basics@securityfocus.com> Date: Mon, 31 Oct 2005 13:48:44 -0500
Hi Mark,
As far as Real life, down to earth methodology. I really Like the
OCTAVE approach. It will take you by the hand and assist you to make
your RA like an expert ;)
http://www.cert.org/octave/methodintro.html
And the best thing about it... It's totally free.
On 29 Oct 2005 at 18:02, Mark Brunner wrote:
> I am looking for a tool, template or clear example of how to perform a Risk
> Assessment, and then manage the mitigation or acceptance of risk. I've read
> a lot of the available information regarding the theory, methodologies and
> strategy, but am having a real hard time taking the concepts and applying
> them to real world items. I've boiled my risk assessment effort to 5 key
> questions to start with for ease of creating some kind of matrix
> (spread*** for now).
>
> For instance, I try to use the following:
> 1. What are the resources - Information & Information Systems - I'm actually
> interested in protecting?
> Easy enough to figure out which are the critical items once an inventory is
> made and relationships are established.
>
> 2. What is the value of those resources, monetary or otherwise?
> Easy enough to get the replacement costs of hardware, software, config
> time, etc. but how do you valuate the data? Based on time and effort to
> recreate?
>
> 3. What are the all the possible threats that that those resources face?
> Where can I get a compendium of risks to apply to each item for Yes/No
> response?
>
> 4. What is the likelihood of those threats being realized?
> Am I supposed to GUESS at this? How to quantify?
>
> 5. What would be the impact of those threats on my business or personal
> life, if they were realized?
> Easy enough to figure out, based on criticality and function.
>
> I would appreciate any assistance offered. I'm floundering...
>
> Thanks,
> Mark
>
-- Simon Borduas, CISSP Chief Security Officer / Chef de la sécurité HyperTec Group / Groupe HyperTec Tel: (514) 745.4540 x 5740 Fax: (514) 745.0937 http://www.hypertec-group.com
- Previous message: Fred Cohen: "Re: secure backups"
- In reply to: Mark Brunner: "Risk Assessment/Management"
- Next in thread: Brian McCaleb: "RE: Risk Assessment/Management"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
