Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Risk Assessment Modelling

from [atlantis 1] Network Security [Permanent Link]
Subject: Re: Risk Assessment Modelling
Date: 19 Aug 2004 10:40:32 -0000 
In-Reply-To: <20040809122759.7177.qmail@www.securityfocus.com>

Hi All,

Thanks very much to those of you who had replied to my earlier message on IT 
Risk Assessment Model. I have developed a conceptual model for risk analysis in 
the past few days, and wanted to get your inputs/opinions.

The Model is based on:

1) Threats that are associated with an asset
2) The current control capabilities.

I am calculating an Inherent Risk Value for individual threats based on the 
Probability of Occurence of the threat, and the Severity of impact. (for this 
purpose, I am using a scale of 1 to 4, 1 being Low & 4 being Severe). I use a 
Sum of Squares approach (sum of squares of probability & Severity) to calculate 
the Inherent Risk Value.

Subsequently, I also evaluate the current control capability (segregating 
between Preventive & Corrective/Detective controls) to mitigate/address the 
threat (scale of 0 to 4, 0 being no control available, and 4 being highest 
level of control). Again, I use a sum of squares approach to determine the 
control capability value.

The Inherent Risk Value minus the Current Control Capability is the Residual 
Risk, for which I have defined threshold levels and accordingly graded risk as 
Low, Medium, High or Severe.

Based on this approach, I would have individual residual risk rating for each 
threat scenario that would apply to the asset.

I would like feedback on the approach that I have adopted, and whether the same 
is acceptable as part of the BS7799 Certification process. Inputs/comments 
would be much appreciated. 

Regards
Andrew.




From: atlantis 1 <atlantis1@fastmail.fm>
To: security-management@securityfocus.com
Subject: Risk Assessment Modelling



Hi,

I am currently working on a Risk Assessment Model as part of my organisation's 
initiative to prepare for a BS7799 Certification.

I have gone through NIST 800-30 and OCTAVE and am accordingly developing an 
excel based quasi quantitative model which takes into account threats, impact, 
probabilities of occurence in analysing risk.

I would like to know whether there are any standard software that can help me 
in doing a risk assessment exercise. I have heard about CRAMM, but have not 
had an opportunity to use/evaluate it. Any inputs on any good software 
applications in the field of Risk Assessment would be much appreciated.

Thanks in advance for your help.

Regards.
Andrew
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Risk Management software., Jesper R
Next by Date:  FW: Risk Assessment Modeling, Schwartz, Richard M.
Previous by Thread:  RE: Risk Assessment Modelling, Burke, Charles
Next by Thread:  Re: Risk Assessment Modelling, Subscriber
Indexes:  [Date] [Thread] [Top] [All Lists]