Re: Risk Assessment/Management - OCTAVE

[filkins () impulse net]

I disagree.

OCTAVE is designed to involve executive management in the decision process.

As far as a shopping list, look at the SANS SBS on HIPAA Security.  And
I hate to say it but defining the parameters of your risk assessement
-- like what is critical -- is somewhat subjective and should be
grounded in common sense.

Quoting Fred Cohen <fred.cohen () all net>:

> My big problems with OCTAVE are that it largely relies on non-
> enumerable lists, the expertise of the person applying it, has lots
> of detail and rigor and precision, but no accuracy that I can find,
> and it is entirely technical in orientation and ignores most of the
> vital element of business decision-making that is the core of risk
> management. I should also mention that it completely ignores the ides
>  of risk transfer and avoidance in favor of mitigation and
> acceptance,  and as such is fairly unrealistic in terms of outcomes.
> It is also  very hard to explain to executive management (the CEO)
> who has to  actually make these decisions.
>
> On Oct 31, 2005, at 10:48 AM, Simon Borduas wrote:
>
> > Hi Mark,
> >
> > As far as Real life, down to earth methodology. I really Like the
> > OCTAVE approach. It will take you by the hand and assist you to make
> > your RA like an expert ;)
> >
> > http://www.cert.org/octave/methodintro.html
> >
> > And the best thing about it... It's totally free.
> >
> >
> > On 29 Oct 2005 at 18:02, Mark Brunner wrote:
> >
> >
> > > I am looking for a tool, template or clear example of how to
> > > perform a Risk
> > > Assessment, and then manage the mitigation or acceptance of risk.
> > > I've read
> > > a lot of the available information regarding the theory,  methodologies and
> > > strategy, but am having a real hard time taking the concepts and  applying
> > > them to real world items.  I've boiled my risk assessment effort  to 5 key
> > > questions to start with for ease of creating some kind of matrix
> > > (spreadsheet for now).
> > >
> > > For instance, I try to use the following:
> > > 1.    What are the resources - Information & Information Systems -
> > > I'm actually
> > > interested in protecting?
> > >     Easy enough to figure out which are the critical items once an
> > > inventory is
> > > made and relationships are established.
> > >
> > > 2.    What is the value of those resources, monetary or otherwise?
> > >     Easy enough to get the replacement costs of hardware,  software, config
> > > time, etc. but how do you valuate the data?  Based on time and  effort to
> > > recreate?
> > >
> > > 3.    What are the all the possible threats that that those
> > > resources face?
> > >     Where can I get a compendium of risks to apply to each item  for Yes/No
> > > response?
> > >
> > > 4.    What is the likelihood of those threats being realized?
> > >     Am I supposed to GUESS at this?  How to quantify?
> > >
> > > 5.    What would be the impact of those threats on my business or  personal
> > > life, if they were realized?
> > >     Easy enough to figure out, based on criticality and function.
> > >
> > > I would appreciate any assistance offered.  I'm floundering...
> > >
> > > Thanks,
> > > Mark
> >
> > --
> > Simon Borduas, CISSP
> > Chief Security Officer / Chef de la sécurité
> > HyperTec Group / Groupe HyperTec
> > Tel: (514) 745.4540 x 5740
> > Fax: (514) 745.0937
> > http://www.hypertec-group.com
>
> -- This communication is confidential to the parties it is intended
> to serve --
> Security Posture            securityposture.com          tel/fax
> University of New Haven               unhca.com        925-454-0171
> Fred Cohen & Associates                 all.net      572 Leona Drive
> Security Management Partners    policygeeks.com    Livermore, CA 94550