Security Basics mailing list archives

Re: Risk Assessment/Management

From: "Simon Borduas" <sborduas () hypertec ca>
Date: Mon, 31 Oct 2005 13:48:44 -0500

Hi Mark,

As far as Real life, down to earth methodology. I really Like the
OCTAVE approach. It will take you by the hand and assist you to make
your RA like an expert ;)

http://www.cert.org/octave/methodintro.html

And the best thing about it... It's totally free.


On 29 Oct 2005 at 18:02, Mark Brunner wrote:

I am looking for a tool, template or clear example of how to perform a Risk
Assessment, and then manage the mitigation or acceptance of risk.  I've read
a lot of the available information regarding the theory, methodologies and
strategy, but am having a real hard time taking the concepts and applying
them to real world items.  I've boiled my risk assessment effort to 5 key
questions to start with for ease of creating some kind of matrix
(spreadsheet for now).

For instance, I try to use the following:
1.    What are the resources - Information & Information Systems - I'm actually
interested in protecting?
      Easy enough to figure out which are the critical items once an inventory is
made and relationships are established.

2.    What is the value of those resources, monetary or otherwise?
      Easy enough to get the replacement costs of hardware, software, config
time, etc. but how do you valuate the data?  Based on time and effort to
recreate?

3.    What are the all the possible threats that that those resources face?
      Where can I get a compendium of risks to apply to each item for Yes/No
response?

4.    What is the likelihood of those threats being realized?
      Am I supposed to GUESS at this?  How to quantify?

5.    What would be the impact of those threats on my business or personal
life, if they were realized?
      Easy enough to figure out, based on criticality and function.

I would appreciate any assistance offered.  I'm floundering...

Thanks,
Mark


--
Simon Borduas, CISSP
Chief Security Officer / Chef de la sécurité
HyperTec Group / Groupe HyperTec
Tel: (514) 745.4540 x 5740
Fax: (514) 745.0937
http://www.hypertec-group.com

Current thread:

Re: Ecryption Cracking Tools, (continued)
- Re: Ecryption Cracking Tools jalbuquerque (Oct 26)
- Re: Re: Ecryption Cracking Tools faykei (Oct 27)
- Re: Re: Ecryption Cracking Tools jeff (Oct 27)
  - Any banking security best practices and survey information? ricci (Oct 28)
    - Re: Any banking security best practices and survey information? Fred Cohen (Oct 31)
    - RE: Any banking security best practices and survey information? ricci (Oct 31)
    - Re: Any banking security best practices and survey information? Fred Cohen (Oct 31)
    - RE: Any banking security best practices and survey information? Andrew Chong (Oct 31)
    - Risk Assessment/Management Mark Brunner (Oct 31)
    - Re: Risk Assessment/Management Fred Cohen (Oct 31)
    - Re: Risk Assessment/Management Simon Borduas (Oct 31)
    - Re: Risk Assessment/Management David Knapp (Oct 31)