|Innovating The Next Big Thing||May 23, 2013|
• Analyst Insights
• Enterprise Insights
• Network & Information Security
• Enterprise Mobility
• Remembering 9/11
Next Innovator Group
Feedjit Live Web Stats
• Ghost City
Ovum: Choosing practical risk assessment options
Jul 4, 2012 – Alan Rodger
Regulatory and legislative pressures, which have increased markedly over recent years, have brought greater focus to bear on the management of risk. For each asset, the cost of applying security must be proportionate to the risk to the organization from the particular compromises that are possible. Consequently, risk assessment is an essential step to understanding the need for security protection, and will enable IT security to be seen as a beneficial business asset, rather than an expensive liability. Realizing the importance of properly understanding risk and how it affects them, many organizations are undergoing a relatively new experience in undertaking risk assessments of their operations.
Choosing a risk assessment methodology is an important step
A number of risk assessment methodologies are in widespread use, so one important decision to be taken is which one to adopt. Methodologies have different characteristics and focus areas that can make some better suited than others to an organization. Factors that might be considered in making the selection include whether the methodology is appropriate for the organization’s size and business type. However, perhaps surprisingly, one of the most important considerations is whether it fits with the corporate culture.
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (Octave) methodology has been used successfully in the financial, insurance, medical, airline, automotive, manufacturing, and federal government sectors. It is framework-neutral, so, for example, it may be used as the risk assessment component within governance frameworks, such as that from The Committee of Sponsoring Organizations of the Treadway Commission (COSO) and Control Objectives for Information and Related Technologies (COBIT). It involves an information-led process of risk analysis that identifies risks to the confidentiality, integrity, and availability of critical information. It starts by building asset-based threat profiles, using knowledge from people throughout different levels of the organization, and is therefore appropriate only for organizations that have sufficient commitment to providing the necessary resources. The second stage involves identifying infrastructure vulnerabilities in core operational and selected areas that are of recognized importance. This allows the threat profiles to be more fully detailed before the final phase, which involves transforming the information into a risk analysis, and subsequently developing the security protection strategy.
CCTA Risk Analysis and Management Method (CRAMM) incorporates an information security and risk analysis framework originally developed in the 1980s by the UK’s Central Computer and Telecommunications Agency (CCTA), which is now the UK’s Office of Government Commerce (OGC). As a methodology, CRAMM focuses on information security risks and mitigation advice, and its analysis process assists with the identification of assets (information systems and networks), their values, threat and vulnerability assessment, and recommendations for countermeasures (security requirements and solutions). It is one of the most popular methods and is used in many countries, although it is often considered to need qualified and experienced resources to gain the objective benefits, and is believed to be somewhat difficult to use without assistance from a software tool.
A more efficiency-focused methodology is available in the Cost of Risk Analysis System (CORAS), a European-based standard for IT security risk assessments that takes a component-based approach to security risk assessment. It incorporates elements from other assessment standards, including CRAMM, and uses a model-based approach (again, a software tool is needed) to assess potential incidents and behavior, and the likelihood of their giving rise to risk.
Avoiding pitfalls and choosing efficient options helps to limit the cost
If organizations fail to understand the nature and extent of risks to information resources, and the potential impact on operational activities, it will be impossible to devise a relevant risk management program and therefore have any certainty about avoiding potential problems. While many organizations no longer have a choice about whether to do so, it will be clear from the selection of assessment methodologies that to assess risk meaningfully is an undertaking that requires a considerable commitment of resources.
Whichever methodology is used, some planning is essential in order to avoid the whole exercise running out of control. Defining the scope of assets and areas to be assessed avoids a sweep of the whole organization in circumstances where that would be too onerous.
One useful way to limit resource needs is to consider grouping assets while analyzing threats and vulnerabilities. There is no point in separately assessing separate data resources within the same system that are each subject to the same quantifiable threats. Instead, they can be treated as a single composite asset as long as the organizational impact of a security breach does not vary across the group of resources, because the level of risk would then be different.
» Send this article to a friend...
» Comments? Tell us what you think...
» More Analyst Insights articles...
Commentsblog comments powered by Disqus
Support This Site
• 5/12 Frontline Sentinel: Two-Factor Authentication for Social Media Sites
• 5/10 McAfee Blogs: RealTime for ePO – Optimized Endpoint Security
• 5/10 Ovum: Ovum comments: GB smart meter delay better late than never
• 5/10 Gartner Says India Has The Potential To Lead The World In The Nexus Of Social, Mobile, Cloud And Information But May Waste The Opportunity
• 5/9 Frontline Sentinel: NSA's Manual on Hacking the Internet
• 5/9 Frontline Sentinel: 8 charged in $45 million cybertheft bank heist
• 5/9 Gartner Highlights Three Key Foundational Elements for Demand-Driven Retail Success
• 5/9 iSuppli: Korean and American Versions of Galaxy S4 as Different as Kimchee and Coleslaw, IHS Teardown Reveals
• 5/9 eMarketer: eMarketer: Emerging Markets Drive Facebook User Growth
• 5/9 Wireless Watch: Microsoft/Nokia alliance at crossroads as both ponder OS futures
• 5/9 Wireless Watch: Apple must rethink far more than the iOS user interface
• 5/9 Faultline: Quantenna gets closer to ST Micro, expect it to get “ascloseasthis”
• 5/9 Faultline: Microsoft volunteers to take Nook, as Barnes and Noble start to breakup
• 5/9 Canalys: Smart mobile device shipments exceed 300 million in Q1 2013 - Android powers 59% of smart phones, tablets and notebooks
• 5/8 McAfee Blogs: Cybercriminals Celebrate – It’s Mothers Day!!
• 5/8 Ovum: Government policy-makers need to create a level playing field for cloud services procurement
• 5/8 Gartner Says Smart Organizations Will Embrace Fast and Frequent Project Failure in Their Quest for Agility
• 5/7 McAfee Blogs: How Secure Are Your Social Accounts?
• 5/7 McAfee Blogs: The Password Problem. Is it Your Problem?
• 5/7 McAfee Blogs: Have you met McAfee’s SIEM?
• 5/7 McAfee Blogs: NCCDC 2013 – Red Team Recap
• 5/7 HP Security Lab Blog: HP TippingPoint announces Security Management System 3.6
• 5/7 McAfee Blogs: Yes, There are “Mother’s Day” Scams
• 5/7 Ovum: Analyst View: TPG looks to become Australia’s fourth MNO
• 5/7 Ovum: Analyst view: UK G-Cloud to champion public cloud
• 5/7 Gartner Says CIOs Will Need to Manage Both Technology and Business Innovation to Gain Competitive Advantage with Big Data
• 5/6 Gartner Says Indian Public Cloud Services Market To Reach $443 Million In 2013
• 5/6 iSuppli: IHS Discusses How PCs Can Survive the Tablet Invasion, at the SID Touch Gesture Motion Event
• 5/6 McAfee Blogs: Emerging ‘Stack Pivoting’ Exploits Bypass Common Security
• 5/5 McAfee Blogs: Intel, McAfee Investing in Network Security; Strength through Acquisition
• 5/5 McAfee Blogs: Change Your Password Day – Get Onboard!
• 5/5 Frontline Sentinel: iFrame drive-by attack demo [Anatomy of Attack online]
• 5/3 Frontline Sentinel: Basic Use of Maltego for Network Intelligence Gathering
• 5/3 iSuppli: Russian, Eastern European Video Surveillance Market to Double from 2012 to 2017
• 5/3 McAfee Blogs: AP, Burger King, LivingSocial….Who’ll be Hacked Next?
• 5/2 iSuppli: SSDs to Account for One-Third of Worldwide PC Storage Shipments by 2017
• 5/2 iSuppli: PV Inverter Supplier Base Fragments in 2012 – Minimal Impact From Recent M&A Activity in 2013
• 5/2 McAfee Blogs: Healthcare Cloud Enabled Analytics is Growing
• 5/2 Ovum: Analyst view: Facebook’s Q1 2013 results
• 5/2 Australian Organizations to Spend A$70 Million on Business Process Management Suites in 2013: Gartner
• 5/2 Worldwide Semiconductor Assembly and Test Services Market Grew 2.1 Percent in 2012, According to Final Results by Gartner
• 5/2 Wireles Watch: ZigBee Alliance completes Smart Energy Profile 2:
• 5/2 Wireless Watch: AMD, AT&T and Ericsson – wireless value chain shifts to IoT
• 5/2 Faultline: Netflix Hastings predicts OTT world – should stick to profit predictions
• 5/2 Faultline: Ziggo to add 1m homespots by August, work with Liberty Global
• 5/2 Canalys: Canalys launches ‘Appcessory Analysis’ service - First analyst firm to launch a dedicated continuous information service in this space
• 5/1 McAfee Blogs: BadNews for Good People
• 5/1 Frontline Sentinel: The PR Implications Of Cyber Security
• 5/1 HP Security Lab Blog: So, you want to build a Security Operations Center...
• 5/1 HP Security Lab Blog: The new era of security intelligence, part 1