Re: Risk assesment

[Daniel Miessler <daniel () dmiessler com>]

> Hello list,
>
> I am looking for some examples of risk assessments. I have read quite a few of documents regarding this but it would 
> be greatly appreciated if I could have some example on this topic.
>
> The best way to do this is to have a BIA form filled in by the business, but unfortunately there is less involvement 
> from that side.
>
> Can anybody give me some examples/advices on this?

I recommend going for relatively few datapoints first, to ensure you
can cover the number of projects you need to first. Start with a
pre-assessment form that has something like:

1. Data Type / Classification
2. Exposure (internal, Extranet, Internet, VPN, etc.)
3. Users (employees, contractors, partners, public, etc.)
4. DR Requirements (1 hour/3 hours/24 hours, etc.)

Then, from there, you can use an algorithm to assign a potential risk
rating to the project. Maybe High Low, or High, Medium, Low.

And that score will determine what all you look at afterwards. Some
options might include:

a. Scans (web app scans, static code analysis, network scans)
b. Interviews (talking to people on the project to learn more about it)
c. Creating diagrams that outline the dataflow through the project

And then if you ended up doing an assessment, based on your initial
test, you will always have some info on the project, such as:

- Project Summary
- Project Manager
- GoLive Date
- Issues Found (with potential impact and possible remediation paths)
- An overall summary of how you see the risk (for management)
- A final risk score using your company's preferred system: H, M, L, etc.

These are just some real quick data points that you can refine further
once the system is working, but the key is to get something in place
and avoid over-engineering the entire project out of existence.

Hope this helps.

-- 
Daniel R. Miessler
W: http://dmiessler.com/
E: daniel () dmiessler com
P: 510 585 9143
G: 0xD4A8FFF6

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------