Educause Security Discussion mailing list archives
Re: Experience with Risk Assessment tools, such as RiskWatch?
From: James Moore <jhmiso () RIT EDU>
Date: Wed, 29 Nov 2006 15:16:40 -0500
Thanks for the links information and advice. Our risk assessments have been based entirely on the expertise of the people implementing the system, and my own expertise. I get teased a lot with the label that Don Parker used in his book Fighting Computer Crime, where he described the "Folk Artist" information security person. A faculty member using the book started the label and it stuck. It stuck, because to some extent it is accurate. I am old enough to have been a programmer, when the "software engineering" discipline began to emerge, and I learned a lot. There was a checklist mentality there as well, from people who didn't have experience as programmers. I just want to make sure that I have balance of the emerging "engineering" practices in the information security and risk management areas. And I hope that again, I will learn a lot. The other reason that we are looking at it is because it will promote for a consistent format. Thanks for you input. Jim -----Original Message----- From: Brad Judy [mailto:Brad.Judy () COLORADO EDU] Sent: Wednesday, November 29, 2006 11:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Experience with Risk Assessment tools, such as RiskWatch? Implementing an internal risk assessment framework/process is a significant portion of my duties. You can see the risk assessment/management framework we've created here: http://www.colorado.edu/its/security/itriskmanagement/ We aren't using any third-party software like RiskWatch, so I can't comment on that part. The big initial steps in coming up with any risk assessment is defining the scope and depth. These two items, along with the resources at your disposal, will help set the boundaries for your risk assessments. Once you get into performing risk assessments, I think the most critical aspect is keeping the context of the business, IT environment and true risks in mind. Choosing how to address risks is a business decision, not an IT one - IT merely creates opportunities for risk and risk mitigation. Try not to fall too much into 'checklist' mentality for risk assessment (this is one thing that worries me about using a software application). While there are some widely applicable items that can be checklist in nature, each situation has its own unique twists. In the end, it's about how much real risk exists, how much can be mitigated/eliminated without unrealistic costs (financial or disruptive) and how much risk can be accepted. Finally, quantitative analysis can be tricky. One example was a school on one of these lists that noted terrorist attack as a priority for process improvement because they had no existing plans to handle it. This bubbled to the top because they used a quantitative method where the probability of the event was not accurately estimated. The reality is that the probability of such an event is extremely low for most schools, but some may have special situations (like they have an on-campus nuclear reactor that may be a target). Read up on the risk assessment links on our page - we linked to our source material which is publicly available (some Burton/Gartner articles were also used - look those up if you have a subscription). Brad Judy IT Security Office Information Technology Services University of Colorado at Boulder -----Original Message----- From: James Moore [mailto:jhmiso () RIT EDU] Sent: Wednesday, November 29, 2006 8:13 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Experience with Risk Assessment tools, such as RiskWatch? Does anyone have experience with RiskWatch or other tools that help to quantitatively define risks in information systems? I have looked at RiskWatch, and they seem pretty good, but I just haven't found any other similar tools for comparison. Any experiences in implementing internal risk assessments? RiskWatch also has an ISO 17799 base, so experiences (and tools) for leveraging that standard in a higher ed environment are also welcome. Thanks, Jim
Current thread:
- Experience with Risk Assessment tools, such as RiskWatch? James Moore (Nov 29)
- <Possible follow-ups>
- Re: Experience with Risk Assessment tools, such as RiskWatch? David Grisham (Nov 29)
- Re: Experience with Risk Assessment tools, such as RiskWatch? Brad Judy (Nov 29)
- Re: Experience with Risk Assessment tools, such as RiskWatch? Jim Dillon (Nov 29)
- Re: Experience with Risk Assessment tools, such as RiskWatch? James Moore (Nov 29)
- Re: Experience with Risk Assessment tools, such as RiskWatch? Mclaughlin, Kevin L (mclaugkl) (Nov 30)
- Re: Experience with Risk Assessment tools, such as RiskWatch? Tom Siu (Dec 06)