On Dec 1, 2005, at 1:10 AM, Medzich, Maik wrote:
Dear all,
I'm currently involved in a process to decide whether or not
carring out an (additional) risk analysis for the IT landscape.
We currently dealing with the SOX404 act and wondering whether an
additional risk analysis is useful and valuable for consideration.
I believe that SOX has dealt in depth with risks, but from my point
of view it is more control orientated. What means that SOX doesn't
really care about the probability of the risk. And it is also only
belonging to financial reporting (well, if a system breaks down, it
perhaps harm the finacial reporting of cource, but not necessarily
do it)
The notion of determining the probability of information related
risks is fundamentally and, in my view, fatally flawed. However,
presumably, information-related risks were covered in the SOX audit -
or the job was not properly done.
However, it would be interesting if you could post some of your
experiences in such area. Success stories and benefits of risk maps
would especially be of interest for me. Perhaps somebody could give
me a hint to some good sources measuring benefits versus cost of an
IT risk analysis (costs are always the "show-stopper").
Risk analysis techniques are described in detail in a Burton Group
report from a few years ago - if you are a Burton Group member.
Otherwise you might try the light version of it in the CISO ToolKit
Governance Guidebook. Page 57-62 and Security Metrics pages 28-40
Thanks a lot.
Regards
Maik
-- This communication is confidential to the parties it is intended
to serve --
Security Posture securityposture.com tel/fax
University of New Haven unhca.com 925-454-0171
Fred Cohen & Associates all.net 572 Leona Drive
Security Management Partners policygeeks.com Livermore, CA 94550
