Re: Experience with Risk Assessment tools, such as RiskWatch?

[Tom Siu <thomas.siu () CASE EDU>]

Hi Jim,

I've had a look at Risk Watch a number of years ago, and it was not
satisfactory to the Federal Government IT security group I was with.
Any pure checklist approach will suffer from lack of perspective or
the ability to account for environmental factors.

What I recommend is that each organization take a careful approach to
what their organization will tolerate, and match your methodology to
your organization.  For example, when I was in the insurance
industry, taking an engineering-based approach would be completely
counter-productive and cultural clash would cause failure.

Some of the best risk management methods I've encountered and used
were not based on the early iterations found in the IT security
discussion areas, but from software and systems engineering, applied
to the IT environment with security as non-functional requirements
addressed.

A great book to get the systems software perspective is:
'Waltzing with Bears: Managing Risk on Software Projects" by Tom
DeMarco and Tim Lister
http://www.systemsguild.com/GuildSite/DandL/WWB.html

I have proposed a presentation topic for the next Educause Security
conference in Denver, discussing how to evaluate a risk assessment
vendor/contractor, how to build up your in-house capabilities, using
OCTAVE, OCTAVE-S, and CRM as basic tools.  If anybody would be
interested in working on this topic with me, and maybe co-presenting,
let me know.

Regards,
Tom
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|||
   Tom Siu
   Chief Information Security Officer
   Case Western Reserve University
   thomas.siu () case edu
   www.case.edu/its/security
   my pgp key can be found at pgpkeys.mit.edu
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|||