Re: Vulnerability vs. Risk Assessments

[Valerie Vogel <vvogel () EDUCAUSE EDU>]

In addition to the resources Brad mentioned in a previous e-mail, the
Higher Education Information Security Council has developed several
resources related to risk management and risk assessment.

Risk Management overview:
https://wiki.internet2.edu/confluence/display/itsg2/Risk+Management

Information Security Governance Assessment Tool:
http://www.educause.edu/Resources/InformationSecurityGovernanceA/160639

Risk Management Framework:
https://wiki.internet2.edu/confluence/display/itsg2/Risk+Management+Fram
ework

Risk Assessment Tools:
https://wiki.internet2.edu/confluence/display/itsg2/Risk+Assessment+Tool
s

If you have any questions, please let me know. 
Thank you,
Valerie
_____________

Valerie M. Vogel, Program Associate, EDUCAUSE
Phone: 310-396-7033
E-mail: vvogel () educause edu
http://www.educause.edu/security

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris Vakhordjian
Sent: Thursday, November 05, 2009 8:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Vulnerability vs. Risk Assessments

Since we are on this subject....

Anyone have a simple, but well written, risk assessment/report template?

Thanks,
Chris


> > > Eric Case <ecase () EMAIL ARIZONA EDU> 11/5/2009 10:10 AM >>>
Here is Ira Winkler's "formula" for risk.  



 

Here it is as plain text:

Risk = ((Threat * Vulnerability) / Countermeasures) * Value

 

Threats (Malicious and Malignant) are the people or entities who can do
you harm if given the opportunity.  Threats are outside your control and
you cannot change them effect them directly.

Vulnerabilities are the wearknesses that allow the threat to exploit
you.

Countermeasures are the precautions you take.  Reducing the exposure is
a countermeasure.

Value is the potential loss you can experience.  More than a hard asset,
value can be Monetary, Nuisance, Competitor Value, etc.  Most things can
be turned into a monetary value but sometimes they are left as
reputation, etc.

 

The value part can be very fluid.  Take a simple malware infection.  On
a "stupid user's" machine, the value may be less than on the Provost's
machine, which may still be less than on the CISO's machine.  The same
Countermeasures are in place on all the machines but the Provost can
have a Nuisance factor to deal with, but the CISO can have a major loss
of reputation and a Nuisance factor to deal with.

 

 

Vulnerability Assessments are typically looking for technical weaknesses
and Risk Assessments typically look for things that can impact the
enterprise on more than a technical level.

-Eric

 

Eric Case, CISSP

eric (at) ericcase (dot) com

http://www.linkedin.com/in/ericcase 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins
Sent: Wednesday, November 04, 2009 8:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Vulnerability vs. Risk Assessments

 

While I definitely agree with the other responses, I also find this
variant on the formula helpful when explaining to non-IT's or
non-tech's:

 

Risk = Asset * Threat * Vulnerability

 

Asset represents what other formulae sometimes call "impact".  I just
feel it's a bit more intuitive to call it "asset" since execs think of
assets easily, so do accountants.

 

Drive any one of those three factors toward zero, and you affect risk
directly.

 

e's.g.

Remove the asset, no risk.  Keep sensitive data out of harm's way.

Reduce threats, lower risk.   Block unnecessary traffic, encrypt
laptops.

Reduce vulnerabilities, reduce risk.  Patch systems.

 

Nice thing about having Vulnerabilities in the formula is they are one
of the factors you can sometimes directly control through system
management.

 

Asset reduction can be done with data handling/access controls.

 

Threat reduction can be done with technical measures, but not always.

 

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Waller
Sent: Wednesday, November 04, 2009 9:32 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Vulnerability vs. Risk Assessments

 

The below is a pretty good explanation. From my experience, a
vulnerability assessment is a look at a
system/site/application/firewall/whatever with an eye towards all of the
vulnerable points. Once you identify the vulnerabilities, you would then
move to a risk assessment by determining what the threat, potential
impact and likelihoods are.

On Wed, Nov 4, 2009 at 9:13 PM, St Clair, Jim <Jim.StClair () gt com>
wrote:

Hi Chris,

Yes they are often used interchangeably, causing confusion. If you think
of the risk formula (threat X impact X likelihood = risk) then a
vulnerability assessment focuses on more technical issues (either a port
is closed or not) while a risk assessment should be more specific to a
business/ process (this open port creates high risk in web services
supporting health records).

Both are useful, and should be conducted periodically. It's only
unfortunate when a service provider calls it the latter but can only
deliver the former.

James A. St.Clair, CISM, PMP
Senior Manager
Global Public Sector
Grant Thornton LLP
T  703-637-3078
F  703-637-4455
C  703-727-6332
E  jim.stclair () gt com 



The people in the independent firms of Grant Thornton International Ltd
provide personalized attention and the highest quality service to public
and private clients in more than 100 countries. Grant Thornton LLP is
the U.S.
member firm of Grant Thornton International Ltd, one of the six global
audit, tax and advisory organizations. Grant Thornton International Ltd
and its member firms are not a worldwide partnership, as each member
firm is a separate and distinct legal entity.
In the U.S., visit Grant Thornton LLP at http://www.grantthornton.com/.

-----Original Message-----

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris Kidd
Sent: Wednesday, November 04, 2009 9:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Vulnerability vs. Risk Assessments

I'm having a hard time articulating the difference between these two
types of assessments, so I'm hoping someone can clearly define them. Any
thoughts are appreciated.

Thanks,
Chris

Chris Kidd
Chief Information Security and Privacy Officer The University of Utah
650 Komas Drive, Suite 102 Salt Lake City, UT 84108
Office: 801.587.9241
Cell: 801.747.9028
chris.kidd () utah edu 

http://www.secureit.utah.edu 



In accordance with applicable professional regulations, please
understand that, unless expressly stated otherwise, any written advice
contained in, forwarded with, or attached to this e-mail is not intended
or written by Grant Thornton LLP to be used, and cannot be used, by any
person for the purpose of avoiding any penalties that may be imposed
under the Internal Revenue Code.
------------------------------------------------------------------------
--
This e-mail is intended solely for the person or entity to which it is
addressed and may contain confidential and/or privileged information.
Any review, dissemination, copying, printing or other use of this e-mail
by persons or entities other than the addressee is prohibited. If you
have received this e-mail in error, please contact the sender
immediately and delete the material from any computer.