How do you assess IT Risk ?? Please share your way of assessing IT Risk ...
grt
Member Posts: 5 ■□□□□□□□□□
Hi all, I would like to discuss about various IT risk assessment methodologies and the methodology you prefer.
Here's the method we follow.
It's gonna be qualitative methodology.
Formula to calculate risk : Risk = Asset value * Threat * Vulnerability.
High - 3, Medium -2, Low -1
Asset value : Highest value in AIC. (Availability, Integrity, Confidentiality)
AIC values will be given based on the impact on loss of AIC for each asset.
example : A Database server of critical application will be given High for all three Availability, Integrity,Confidentiality.
whereas for a user workstation, availability will have less value and that's not gonna matter since highest value in AIC triad is taken as asset value.
Threat : Common threats are considered for a newly provisioned IT asset. i.e. Hardware failure, configuration failure, power failure, unauthorized access and many. Apart from these, threats found from VAPT will be included.
Vulnerability : It's calculated on account of likelihood of occurrence. We usually check the control gap for a respective threat and vulnerability is calculated based on likelihood.
Example : As we spoke about a DB server.
Asset value =High = 3.
Threat = unauthorized access = High = 3
Vulnerability = inadequate access control = High = 3
Hence Total risk = 27
Another example.
Asset value = High = 3
Threat = Database corrupted = High = 3
Control Implemented : Log shipping on Database is set to 60 minutes.
Vulnerability = Data loss = Medium = 2
Hence Total risk = 18
For us accepted risk value is <=9. Anything more than that, has to undergo risk treatment plan.
I know our methodology is simple. But we wish to enhance and more accurate.
Kindly share your methodology and the flaw you find in our method.
Cheers
- G
Here's the method we follow.
It's gonna be qualitative methodology.
Formula to calculate risk : Risk = Asset value * Threat * Vulnerability.
High - 3, Medium -2, Low -1
Asset value : Highest value in AIC. (Availability, Integrity, Confidentiality)
AIC values will be given based on the impact on loss of AIC for each asset.
example : A Database server of critical application will be given High for all three Availability, Integrity,Confidentiality.
whereas for a user workstation, availability will have less value and that's not gonna matter since highest value in AIC triad is taken as asset value.
Threat : Common threats are considered for a newly provisioned IT asset. i.e. Hardware failure, configuration failure, power failure, unauthorized access and many. Apart from these, threats found from VAPT will be included.
Vulnerability : It's calculated on account of likelihood of occurrence. We usually check the control gap for a respective threat and vulnerability is calculated based on likelihood.
Example : As we spoke about a DB server.
Asset value =High = 3.
Threat = unauthorized access = High = 3
Vulnerability = inadequate access control = High = 3
Hence Total risk = 27
Another example.
Asset value = High = 3
Threat = Database corrupted = High = 3
Control Implemented : Log shipping on Database is set to 60 minutes.
Vulnerability = Data loss = Medium = 2
Hence Total risk = 18
For us accepted risk value is <=9. Anything more than that, has to undergo risk treatment plan.
I know our methodology is simple. But we wish to enhance and more accurate.
Kindly share your methodology and the flaw you find in our method.
Cheers
- G
Comments
-
chickenlicken09
Member Posts: 537 ■■■■□□□□□□
not sure but may get more of a response in the CISSP thread.
-
philz1982
Member Posts: 978
Read my blog @ www.buildingautomationmonthly.com
Connect with me on LinkedIn @ https://www.linkedin.com/in/phillipzito -
Cyberscum
Member Posts: 795 ■■■■■□□□□□
The method you are using does not factor in alot of things and although in theory its a risk assessment, its weak at most.
Please follow this if you have time and manpower:
http://www.google.com/url?url=http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf&rct=j&frm=1&q=&esrc=s&sa=U&ei=mlvCVKLBFof4yQTXyoHwAg&ved=0CBQQFjAA&usg=AFQjCNE_C77zBP4z30WTnhO16MxCq38zUA -
philz1982
Member Posts: 978
The method you are using does not factor in alot of things and although in theory its a risk assessment, its weak at most.
Please follow this if you have time and manpower:
http://www.google.com/url?url=http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf&rct=j&frm=1&q=&esrc=s&sa=U&ei=mlvCVKLBFof4yQTXyoHwAg&ved=0CBQQFjAA&usg=AFQjCNE_C77zBP4z30WTnhO16MxCq38zUA
I like to use 30 if they are ok with it. Some folks want other stuff, it seems to be based on how early you influence the selection of the framework.Read my blog @ www.buildingautomationmonthly.com
Connect with me on LinkedIn @ https://www.linkedin.com/in/phillipzito