Security Basics mailing list archives
Re: Risk Assessment/Management
From: <Steve.Cummings () barclayscapital com>
Date: Mon, 31 Oct 2005 18:19:52 -0000
Ok have two tools that might help you but they maybe too expensive Skybox Iss vms (I think it's called that is brand new) try www.iss.net -----Original Message----- From: Mark Brunner <mark_brunner () hotmail com> To: security-basics () securityfocus com <security-basics () securityfocus com> Sent: Sat Oct 29 22:02:10 2005 Subject: Risk Assessment/Management I am looking for a tool, template or clear example of how to perform a Risk Assessment, and then manage the mitigation or acceptance of risk. I've read a lot of the available information regarding the theory, methodologies and strategy, but am having a real hard time taking the concepts and applying them to real world items. I've boiled my risk assessment effort to 5 key questions to start with for ease of creating some kind of matrix (spreadsheet for now). For instance, I try to use the following: 1. What are the resources - Information & Information Systems - I'm actually interested in protecting? Easy enough to figure out which are the critical items once an inventory is made and relationships are established. 2. What is the value of those resources, monetary or otherwise? Easy enough to get the replacement costs of hardware, software, config time, etc. but how do you valuate the data? Based on time and effort to recreate? 3. What are the all the possible threats that that those resources face? Where can I get a compendium of risks to apply to each item for Yes/No response? 4. What is the likelihood of those threats being realized? Am I supposed to GUESS at this? How to quantify? 5. What would be the impact of those threats on my business or personal life, if they were realized? Easy enough to figure out, based on criticality and function. I would appreciate any assistance offered. I'm floundering... Thanks, Mark ------------------------------------------------------------------------ For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. ------------------------------------------------------------------------
Current thread:
- RE: Risk Assessment/Management Keith Phillips (Oct 31)
- <Possible follow-ups>
- Re: Risk Assessment/Management Steve.Cummings (Oct 31)
- RE: Risk Assessment/Management Brian McCaleb (Oct 31)