Security Basics mailing list archives
RE: Measuring Risk Assessment
From: security () calculateddecision com
Date: Thu, 22 Sep 2005 22:07:04 -0700
I'm not sure how applicable this is, but its an idea. It's going to be difficult to show "improvements" in quality once a process is under control. Because generally, the idea is to maintain that control rather than make huge changes. So as things get closer to perfect there are fewer major improvements to be cited. You really can't show that you're fixing things that aren't broke. The only thing that I can think of as support would be to work on percentages of what risks are faced at present. Or, somehow show effects on management overhead, annual spending related to risk, or other dollar values. Why is the initial risk reduction not useable? Will the BS7799 not make the firm available for other contracts? (I would think if he could sell them on how it would affect the bottom line he'd be in.) -Anthony Towry
-------- Original Message -------- Subject: Measuring Risk Assessment From: shankarnarayan.d () netsol co in Date: Wed, September 21, 2005 4:07 am To: security-basics () securityfocus com Hi, We have successfully enabled an Organization achieve BS7799. We have conducted a Qualitative Risk Assessment for the different IT assets As a part of periodic improvements the client periodically adds additional security measures/ tweaking current controls etc. The Client wants to now measure the effectiveness of adopting these controls to show visible proof to his management about the effectiveness of these controls and maybe adopting the standard. Can I get some suggestions (irrespective of whether it is relevant to BS7799 or not) as to how this client may show improvements to his management. Specifically, any metrics on how he may show effectiveness w/ respect to the "qualitative risk assessment". When he first implemented the Risk Treatment plan, he could show significant risk reduction, but (as an example), tweaks and changes now dont reduce a risk which is "High" to "Medium", they only bring it a few notches lower but still in "High" Any inputs would be greatly appreciated. I am looking for something apart from standard inputs like compare the number of vulnerabilities/ security issues faced/ measuring the hits on Firewall/ IDS etc Thanks, Shankar
Current thread:
- Measuring Risk Assessment shankarnarayan . d (Sep 22)
- <Possible follow-ups>
- RE: Measuring Risk Assessment Craig Wright (Sep 26)
- RE: Measuring Risk Assessment security (Sep 26)
- RE: Measuring Risk Assessment security (Sep 26)