grt wrote: » Hi all, I would like to discuss about various IT risk assessment methodologies and the methodology you prefer. Here's the method we follow. It's gonna be qualitative methodology. Formula to calculate risk : Risk = Asset value * Threat * Vulnerability. High - 3, Medium -2, Low -1 Asset value : Highest value in AIC. (Availability, Integrity, Confidentiality) AIC values will be given based on the impact on loss of AIC for each asset. example : A Database server of critical application will be given High for all three Availability, Integrity,Confidentiality. whereas for a user workstation, availability will have less value and that's not gonna matter since highest value in AIC triad is taken as asset value. Threat : Common threats are considered for a newly provisioned IT asset. i.e. Hardware failure, configuration failure, power failure, unauthorized access and many. Apart from these, threats found from VAPT will be included. Vulnerability : It's calculated on account of likelihood of occurrence. We usually check the control gap for a respective threat and vulnerability is calculated based on likelihood. Example : As we spoke about a DB server. Asset value =High = 3. Threat = unauthorized access = High = 3 Vulnerability = inadequate access control = High = 3 Hence Total risk = 27 Another example. Asset value = High = 3 Threat = Database corrupted = High = 3 Control Implemented : Log shipping on Database is set to 60 minutes. Vulnerability = Data loss = Medium = 2 Hence Total risk = 18 For us accepted risk value is <=9. Anything more than that, has to undergo risk treatment plan. I know our methodology is simple. But we wish to enhance and more accurate. Kindly share your methodology and the flaw you find in our method. Cheers - G
