Re: Risk Assessment/Management

[David Knapp <dknapp1 () gmail com>]

Here's one link that might help...
http://www.cert.org/octave/

dbk
On 10/29/05, Mark Brunner <mark_brunner () hotmail com> wrote:
> I am looking for a tool, template or clear example of how to perform a Risk
> Assessment, and then manage the mitigation or acceptance of risk.  I've read
> a lot of the available information regarding the theory, methodologies and
> strategy, but am having a real hard time taking the concepts and applying
> them to real world items.  I've boiled my risk assessment effort to 5 key
> questions to start with for ease of creating some kind of matrix
> (spreadsheet for now).
>
> For instance, I try to use the following:
> 1.      What are the resources - Information & Information Systems - I'm actually
> interested in protecting?
>         Easy enough to figure out which are the critical items once an inventory is
> made and relationships are established.
>
> 2.      What is the value of those resources, monetary or otherwise?
>         Easy enough to get the replacement costs of hardware, software, config
> time, etc. but how do you valuate the data?  Based on time and effort to
> recreate?
>
> 3.      What are the all the possible threats that that those resources face?
>         Where can I get a compendium of risks to apply to each item for Yes/No
> response?
>
> 4.      What is the likelihood of those threats being realized?
>         Am I supposed to GUESS at this?  How to quantify?
>
> 5.      What would be the impact of those threats on my business or personal
> life, if they were realized?
>         Easy enough to figure out, based on criticality and function.
>
> I would appreciate any assistance offered.  I'm floundering...
>
> Thanks,
> Mark


--
dbk
David Knapp
805-471-9456
dknapp1 () gmail com