Re: Experience with Risk Assessment tools, such as RiskWatch?

[James Moore <jhmiso () RIT EDU>]

Thanks for the links information and advice.  Our risk assessments have
been based entirely on the expertise of the people implementing the
system, and my own expertise.  

I get teased a lot with the label that Don Parker used in his book
Fighting Computer Crime, where he described the "Folk Artist"
information security person.  A faculty member using the book started
the label and it stuck.  It stuck, because to some extent it is
accurate.  

I am old enough to have been a programmer, when the "software
engineering" discipline began to emerge, and I learned a lot.  There was
a checklist mentality there as well, from people who didn't have
experience as programmers.  I just want to make sure that I have balance
of the emerging "engineering" practices in the information security and
risk management areas.  And I hope that again, I will learn a lot.

The other reason that we are looking at it is because it will promote
for a consistent format.

Thanks for you input.

Jim

-----Original Message-----
From: Brad Judy [mailto:Brad.Judy () COLORADO EDU] 
Sent: Wednesday, November 29, 2006 11:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Experience with Risk Assessment tools, such as
RiskWatch?

Implementing an internal risk assessment framework/process is a
significant portion of my duties.  You can see the risk
assessment/management framework we've created here:
http://www.colorado.edu/its/security/itriskmanagement/

We aren't using any third-party software like RiskWatch, so I can't
comment on that part.  

The big initial steps in coming up with any risk assessment is defining
the scope and depth.  These two items, along with the resources at your
disposal, will help set the boundaries for your risk assessments.  Once
you get into performing risk assessments, I think the most critical
aspect is keeping the context of the business, IT environment and true
risks in mind.  Choosing how to address risks is a business decision,
not an IT one - IT merely creates opportunities for risk and risk
mitigation.  

Try not to fall too much into 'checklist' mentality for risk assessment
(this is one thing that worries me about using a software application).
While there are some widely applicable items that can be checklist in
nature, each situation has its own unique twists.  In the end, it's
about how much real risk exists, how much can be mitigated/eliminated
without unrealistic costs (financial or disruptive) and how much risk
can be accepted.  

Finally, quantitative analysis can be tricky.  One example was a school
on one of these lists that noted terrorist attack as a priority for
process improvement because they had no existing plans to handle it.
This bubbled to the top because they used a quantitative method where
the probability of the event was not accurately estimated.  The reality
is that the probability of such an event is extremely low for most
schools, but some may have special situations (like they have an
on-campus nuclear reactor that may be a target).  

Read up on the risk assessment links on our page - we linked to our
source material which is publicly available (some Burton/Gartner
articles were also used - look those up if you have a subscription).

Brad Judy

IT Security Office
Information Technology Services
University of Colorado at Boulder
 

-----Original Message-----
From: James Moore [mailto:jhmiso () RIT EDU] 
Sent: Wednesday, November 29, 2006 8:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Experience with Risk Assessment tools, such as
RiskWatch?

Does anyone have experience with RiskWatch or other tools that help to
quantitatively define risks in information systems?  I have looked at
RiskWatch, and they seem pretty good, but I just haven't found any other
similar tools for comparison.  Any experiences in implementing internal
risk assessments?  RiskWatch also has an ISO 17799 base, so experiences
(and tools) for leveraging that standard in a higher ed environment are
also welcome.
 
Thanks,
 
Jim