Security Basics mailing list archives
Re: Risk Assessment/Management - OCTAVE
From: filkins () impulse net
Date: Tue, 01 Nov 2005 16:00:37 -0800
Mark did a pretty good job of targeting the critical questions. As I said, a good risk assessment involves good common sense, both engineering/technical and business/functional sense. Quoting Fred Cohen <fred.cohen () all net>:
On Nov 1, 2005, at 12:38 PM, filkins () impulse net wrote:I disagree.Actually, it sound more to me like you agree but don't realize it.OCTAVE is designed to involve executive management in the decision process.It assert their involvement but it is in fact poorly designed to achieve it.As far as a shopping list, look at the SANS SBS on HIPAA Security.Just because these attempts share the same problems does not make Octave good. A million people agreeing can still be wrong.And I hate to say it but defining the parameters of your risk assessement -- like what is critical -- is somewhat subjective and should be grounded in common sense.It is not somewhat subjective - it is almost entirely subjective, and is based on the most common sense thing we have in business - the views of the people who run the business. So there we have it - we agree. FCQuoting Fred Cohen <fred.cohen () all net>:My big problems with OCTAVE are that it largely relies on non- enumerable lists, the expertise of the person applying it, has lots of detail and rigor and precision, but no accuracy that I can find, and it is entirely technical in orientation and ignores most of the vital element of business decision-making that is the core of risk management. I should also mention that it completely ignores the ides of risk transfer and avoidance in favor of mitigation and acceptance, and as such is fairly unrealistic in terms of outcomes. It is also very hard to explain to executive management (the CEO) who has to actually make these decisions. On Oct 31, 2005, at 10:48 AM, Simon Borduas wrote:Hi Mark, As far as Real life, down to earth methodology. I really Like the OCTAVE approach. It will take you by the hand and assist you to make your RA like an expert ;) http://www.cert.org/octave/methodintro.html And the best thing about it... It's totally free. On 29 Oct 2005 at 18:02, Mark Brunner wrote:I am looking for a tool, template or clear example of how to perform a Risk Assessment, and then manage the mitigation or acceptance of risk. I've read a lot of the available information regarding the theory, methodologies and strategy, but am having a real hard time taking the concepts and applying them to real world items. I've boiled my risk assessment effort to 5 key questions to start with for ease of creating some kind of matrix (spreadsheet for now). For instance, I try to use the following: 1. What are the resources - Information & Information Systems - I'm actually interested in protecting? Easy enough to figure out which are the critical items once an inventory is made and relationships are established. 2. What is the value of those resources, monetary or otherwise? Easy enough to get the replacement costs of hardware, software, config time, etc. but how do you valuate the data? Based on time and effort to recreate? 3. What are the all the possible threats that that those resources face? Where can I get a compendium of risks to apply to each item for Yes/No response? 4. What is the likelihood of those threats being realized? Am I supposed to GUESS at this? How to quantify? 5. What would be the impact of those threats on my business or personal life, if they were realized? Easy enough to figure out, based on criticality and function. I would appreciate any assistance offered. I'm floundering... Thanks, Mark-- Simon Borduas, CISSP Chief Security Officer / Chef de la sécurité HyperTec Group / Groupe HyperTec Tel: (514) 745.4540 x 5740 Fax: (514) 745.0937 http://www.hypertec-group.com-- This communication is confidential to the parties it is intended to serve -- Security Posture securityposture.com tel/fax University of New Haven unhca.com 925-454-0171 Fred Cohen & Associates all.net 572 Leona Drive Security Management Partners policygeeks.com Livermore, CA 94550-- This communication is confidential to the parties it is intended to serve -- Security Posture securityposture.com tel/fax University of New Haven unhca.com 925-454-0171 Fred Cohen & Associates all.net 572 Leona Drive Security Management Partners policygeeks.com Livermore, CA 94550
Current thread:
- Re: Risk Assessment/Management - OCTAVE Fred Cohen (Nov 01)
- Re: Risk Assessment/Management - OCTAVE filkins (Nov 01)
- Re: Risk Assessment/Management - OCTAVE Fred Cohen (Nov 01)
- Re: Risk Assessment/Management - OCTAVE filkins (Nov 02)
- Re: Risk Assessment/Management - OCTAVE Fred Cohen (Nov 01)
- Re: Risk Assessment/Management - OCTAVE filkins (Nov 01)