Educause Security Discussion mailing list archives
Re: Experience with Risk Assessment tools, such as RiskWatch?
From: Tom Siu <thomas.siu () CASE EDU>
Date: Wed, 6 Dec 2006 14:36:37 -0500
Hi Jim, I've had a look at Risk Watch a number of years ago, and it was not satisfactory to the Federal Government IT security group I was with. Any pure checklist approach will suffer from lack of perspective or the ability to account for environmental factors. What I recommend is that each organization take a careful approach to what their organization will tolerate, and match your methodology to your organization. For example, when I was in the insurance industry, taking an engineering-based approach would be completely counter-productive and cultural clash would cause failure. Some of the best risk management methods I've encountered and used were not based on the early iterations found in the IT security discussion areas, but from software and systems engineering, applied to the IT environment with security as non-functional requirements addressed. A great book to get the systems software perspective is: 'Waltzing with Bears: Managing Risk on Software Projects" by Tom DeMarco and Tim Lister http://www.systemsguild.com/GuildSite/DandL/WWB.html I have proposed a presentation topic for the next Educause Security conference in Denver, discussing how to evaluate a risk assessment vendor/contractor, how to build up your in-house capabilities, using OCTAVE, OCTAVE-S, and CRM as basic tools. If anybody would be interested in working on this topic with me, and maybe co-presenting, let me know. Regards, Tom |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ||| Tom Siu Chief Information Security Officer Case Western Reserve University thomas.siu () case edu www.case.edu/its/security my pgp key can be found at pgpkeys.mit.edu |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||
Current thread:
- Experience with Risk Assessment tools, such as RiskWatch? James Moore (Nov 29)
- <Possible follow-ups>
- Re: Experience with Risk Assessment tools, such as RiskWatch? David Grisham (Nov 29)
- Re: Experience with Risk Assessment tools, such as RiskWatch? Brad Judy (Nov 29)
- Re: Experience with Risk Assessment tools, such as RiskWatch? Jim Dillon (Nov 29)
- Re: Experience with Risk Assessment tools, such as RiskWatch? James Moore (Nov 29)
- Re: Experience with Risk Assessment tools, such as RiskWatch? Mclaughlin, Kevin L (mclaugkl) (Nov 30)
- Re: Experience with Risk Assessment tools, such as RiskWatch? Tom Siu (Dec 06)