Re: Risk Assessment/Management - OCTAVE

[filkins () impulse net]

Mark did a pretty good job of targeting the critical questions.  As I
said, a good risk assessment involves good common sense, both
engineering/technical and business/functional sense.

Quoting Fred Cohen <fred.cohen () all net>:

> On Nov 1, 2005, at 12:38 PM, filkins () impulse net wrote:
>
> > I disagree.
>
> Actually, it sound more to me like you agree but don't realize it.
>
> > OCTAVE is designed to involve executive management in the decision  process.
>
> It assert their involvement but it is in fact poorly designed to  achieve it.
>
> > As far as a shopping list, look at the SANS SBS on HIPAA Security.
>
> Just because these attempts share the same problems does not make
> Octave good. A million people agreeing can still be wrong.
>
> >   And
> > I hate to say it but defining the parameters of your risk assessement
> > -- like what is critical -- is somewhat subjective and should be
> > grounded in common sense.
>
> It is not somewhat subjective - it is almost entirely subjective, and
>  is based on the most common sense thing we have in business - the
> views of the people who run the business.
>
> So there we have it - we agree.
>
> FC
>
> > Quoting Fred Cohen <fred.cohen () all net>:
> >
> > > My big problems with OCTAVE are that it largely relies on non-
> > > enumerable lists, the expertise of the person applying it, has lots
> > > of detail and rigor and precision, but no accuracy that I can find,
> > > and it is entirely technical in orientation and ignores most of the
> > > vital element of business decision-making that is the core of risk
> > > management. I should also mention that it completely ignores the ides
> > >  of risk transfer and avoidance in favor of mitigation and
> > > acceptance,  and as such is fairly unrealistic in terms of outcomes.
> > > It is also  very hard to explain to executive management (the CEO)
> > > who has to  actually make these decisions.
> > >
> > > On Oct 31, 2005, at 10:48 AM, Simon Borduas wrote:
> > >
> > > > Hi Mark,
> > > >
> > > > As far as Real life, down to earth methodology. I really Like the
> > > > OCTAVE approach. It will take you by the hand and assist you to make
> > > > your RA like an expert ;)
> > > >
> > > > http://www.cert.org/octave/methodintro.html
> > > >
> > > > And the best thing about it... It's totally free.
> > > >
> > > >
> > > > On 29 Oct 2005 at 18:02, Mark Brunner wrote:
> > > >
> > > >
> > > > > I am looking for a tool, template or clear example of how to
> > > > > perform a Risk
> > > > > Assessment, and then manage the mitigation or acceptance of risk.
> > > > > I've read
> > > > > a lot of the available information regarding the theory,
> > > > > methodologies and
> > > > > strategy, but am having a real hard time taking the concepts  and
> > > > >  applying
> > > > > them to real world items.  I've boiled my risk assessment  effort
> > > > >  to 5 key
> > > > > questions to start with for ease of creating some kind of matrix
> > > > > (spreadsheet for now).
> > > > >
> > > > > For instance, I try to use the following:
> > > > > 1.    What are the resources - Information & Information Systems -
> > > > > I'm actually
> > > > > interested in protecting?
> > > > >     Easy enough to figure out which are the critical items once an
> > > > > inventory is
> > > > > made and relationships are established.
> > > > >
> > > > > 2.    What is the value of those resources, monetary or otherwise?
> > > > >     Easy enough to get the replacement costs of hardware,
> > > > > software, config
> > > > > time, etc. but how do you valuate the data?  Based on time and
> > > > > effort to
> > > > > recreate?
> > > > >
> > > > > 3.    What are the all the possible threats that that those
> > > > > resources face?
> > > > >     Where can I get a compendium of risks to apply to each item
> > > > > for Yes/No
> > > > > response?
> > > > >
> > > > > 4.    What is the likelihood of those threats being realized?
> > > > >     Am I supposed to GUESS at this?  How to quantify?
> > > > >
> > > > > 5.    What would be the impact of those threats on my business
> > > > > or  personal
> > > > > life, if they were realized?
> > > > >     Easy enough to figure out, based on criticality and function.
> > > > >
> > > > > I would appreciate any assistance offered.  I'm floundering...
> > > > >
> > > > > Thanks,
> > > > > Mark
> > > >
> > > > --
> > > > Simon Borduas, CISSP
> > > > Chief Security Officer / Chef de la sécurité
> > > > HyperTec Group / Groupe HyperTec
> > > > Tel: (514) 745.4540 x 5740
> > > > Fax: (514) 745.0937
> > > > http://www.hypertec-group.com
> > >
> > > -- This communication is confidential to the parties it is intended
> > > to serve --
> > > Security Posture            securityposture.com          tel/fax
> > > University of New Haven               unhca.com        925-454-0171
> > > Fred Cohen & Associates                 all.net      572 Leona Drive
> > > Security Management Partners    policygeeks.com    Livermore, CA  94550
>
> -- This communication is confidential to the parties it is intended
> to serve --
> Security Posture            securityposture.com          tel/fax
> University of New Haven               unhca.com        925-454-0171
> Fred Cohen & Associates                 all.net      572 Leona Drive
> Security Management Partners    policygeeks.com    Livermore, CA 94550