Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Risk Assessment/Management

From: "Joshua Berry" <JBerry () PENSON COM>
Date: Mon, 31 Oct 2005 14:48:45 -0600
If you are interested in the OCTAVE approach there is a book that does a
very good job of explaining it all:
http://www.amazon.com/exec/obidos/tg/detail/-/0321118863/qid=1130791636/
sr=2-1/ref=pd_bbs_b_2_1/103-0274234-9023819?v=glance&s=books


-----Original Message-----
From: Brian McCaleb [mailto:bmccaleb () jouve com] 
Sent: Monday, October 31, 2005 12:25 PM
To: mark_brunner () hotmail com
Cc: security-basics () securityfocus com
Subject: RE: Risk Assessment/Management

Mark,

This book by T. Peltier is pretty decent, in my opinion. I have just
completed a graduate level risk assessment class, and this was our
textbook. It has clear cut examples and walkthrough on how to do a FRAP
(Facilitated Risk Analysis Process).

http://www.amazon.com/gp/product/0849333466/002-5266985-0028061?v=glance
&n=283155&s=books&v=glance

I am sure you can find it cheaper on half.com or the like.

Cheers,

Brian

-----Original Message-----
From: Mark Brunner [mailto:mark_brunner () hotmail com]
Sent: Saturday, October 29, 2005 3:02 PM
To: security-basics () securityfocus com
Subject: Risk Assessment/Management


I am looking for a tool, template or clear example of how to perform a
Risk Assessment, and then manage the mitigation or acceptance of risk.
I've read a lot of the available information regarding the theory,
methodologies and strategy, but am having a real hard time taking the
concepts and applying them to real world items.  I've boiled my risk
assessment effort to 5 key questions to start with for ease of creating
some kind of matrix (spreadsheet for now).

For instance, I try to use the following:
1.      What are the resources - Information & Information Systems - I'm
actually
interested in protecting?
        Easy enough to figure out which are the critical items once an
inventory is made and relationships are established.

2.      What is the value of those resources, monetary or otherwise?
        Easy enough to get the replacement costs of hardware, software,
config time, etc. but how do you valuate the data?  Based on time and
effort to recreate?

3.      What are the all the possible threats that that those resources
face?
        Where can I get a compendium of risks to apply to each item for
Yes/No response?

4.      What is the likelihood of those threats being realized?
        Am I supposed to GUESS at this?  How to quantify?

5.      What would be the impact of those threats on my business or
personal
life, if they were realized?
        Easy enough to figure out, based on criticality and function.

I would appreciate any assistance offered.  I'm floundering...

Thanks,
Mark
Previous By Date Next
Previous By Thread Next

Current thread: