How do you assess IT risk ???? Please share your methedology ...
Hi all, I would like to discuss about various IT risk assessment methodologies and the methodology you prefer.
Here's the method we follow.
It's gonna be qualitative methodology.
Formula to calculate risk : Risk = Asset value * Threat * Vulnerability.
High - 3, Medium -2, Low -1
Asset value : Highest value in AIC. (Availability, Integrity, Confidentiality)
AIC values will be given based on the impact on loss of AIC for each asset.
example : A Database server of critical application will be given High for all three Availability, Integrity,Confidentiality.
whereas for a user workstation, availability will have less value and that's not gonna matter since highest value in AIC triad is taken as asset value.
Threat : Common threats are considered for a newly provisioned IT asset. i.e. Hardware failure, configuration failure, power failure, unauthorized access and many. Apart from these, threats found from VAPT will be included.
Vulnerability : It's calculated on account of likelihood of occurrence. We usually check the control gap for a respective threat and vulnerability is calculated based on likelihood.
Example : As we spoke about a DB server.
Asset value =High = 3.
Threat = unauthorized access = High = 3
Vulnerability = inadequate access control = High = 3
Hence Total risk = 27
Another example.
Asset value = High = 3
Threat = Database corrupted = High = 3
Control Implemented : Log shipping on Database is set to 60 minutes.
Vulnerability = Data loss = Medium = 2
Hence Total risk = 18
For us accepted risk value is <=9. Anything more than that, has to undergo risk treatment plan.
I know our methodology is simple. But we wish to enhance and more accurate.
Kindly share your methodology and the flaw you find in our method.
Cheers
- G
Here's the method we follow.
It's gonna be qualitative methodology.
Formula to calculate risk : Risk = Asset value * Threat * Vulnerability.
High - 3, Medium -2, Low -1
Asset value : Highest value in AIC. (Availability, Integrity, Confidentiality)
AIC values will be given based on the impact on loss of AIC for each asset.
example : A Database server of critical application will be given High for all three Availability, Integrity,Confidentiality.
whereas for a user workstation, availability will have less value and that's not gonna matter since highest value in AIC triad is taken as asset value.
Threat : Common threats are considered for a newly provisioned IT asset. i.e. Hardware failure, configuration failure, power failure, unauthorized access and many. Apart from these, threats found from VAPT will be included.
Vulnerability : It's calculated on account of likelihood of occurrence. We usually check the control gap for a respective threat and vulnerability is calculated based on likelihood.
Example : As we spoke about a DB server.
Asset value =High = 3.
Threat = unauthorized access = High = 3
Vulnerability = inadequate access control = High = 3
Hence Total risk = 27
Another example.
Asset value = High = 3
Threat = Database corrupted = High = 3
Control Implemented : Log shipping on Database is set to 60 minutes.
Vulnerability = Data loss = Medium = 2
Hence Total risk = 18
For us accepted risk value is <=9. Anything more than that, has to undergo risk treatment plan.
I know our methodology is simple. But we wish to enhance and more accurate.
Kindly share your methodology and the flaw you find in our method.
Cheers
- G
Comments
-
JDMurray
Admin Posts: 13,092 Admin
You only do qualitative risk assessments? How to you calculate if you would incur too much financial cost to protect a given asset? -
astudent
Member Posts: 26 ■□□□□□□□□□
Hi all, I would like to discuss about various IT risk assessment methodologies and the methodology you prefer.
Here's the method we follow.
It's gonna be qualitative methodology.
Formula to calculate risk : Risk = Asset value * Threat * Vulnerability.
High - 3, Medium -2, Low -1
Asset value : Highest value in AIC. (Availability, Integrity, Confidentiality)
AIC values will be given based on the impact on loss of AIC for each asset.
example : A Database server of critical application will be given High for all three Availability, Integrity,Confidentiality.
whereas for a user workstation, availability will have less value and that's not gonna matter since highest value in AIC triad is taken as asset value.
Threat : Common threats are considered for a newly provisioned IT asset. i.e. Hardware failure, configuration failure, power failure, unauthorized access and many. Apart from these, threats found from VAPT will be included.
Vulnerability : It's calculated on account of likelihood of occurrence. We usually check the control gap for a respective threat and vulnerability is calculated based on likelihood.
Example : As we spoke about a DB server.
Asset value =High = 3.
Threat = unauthorized access = High = 3
Vulnerability = inadequate access control = High = 3
Hence Total risk = 27
Another example.
Asset value = High = 3
Threat = Database corrupted = High = 3
Control Implemented : Log shipping on Database is set to 60 minutes.
Vulnerability = Data loss = Medium = 2
Hence Total risk = 18
For us accepted risk value is <=9. Anything more than that, has to undergo risk treatment plan.
I know our methodology is simple. But we wish to enhance and more accurate.
Kindly share your methodology and the flaw you find in our method.
Cheers
- G
Thank you for sharing your risk assessment methodology. I am confused a little bit though. For example, why do you rate both threats and vulnerability? The likelihoods that threats would exploit a vulnerability to affect an asset is the one that should be rated after threats and vulnerabilities are identified. I use the following simple formula to decide risk ranking.
risk = likelihood * impact on asset
