How do you assess IT risk ???? Please share your methedology ...

grtgrt Member Posts: 5 ■□□□□□□□□□
Hi all, I would like to discuss about various IT risk assessment methodologies and the methodology you prefer.

Here's the method we follow.

It's gonna be qualitative methodology.

Formula to calculate risk : Risk = Asset value * Threat * Vulnerability.

High - 3, Medium -2, Low -1

Asset value : Highest value in AIC. (Availability, Integrity, Confidentiality)
AIC values will be given based on the impact on loss of AIC for each asset.
example : A Database server of critical application will be given High for all three Availability, Integrity,Confidentiality.
whereas for a user workstation, availability will have less value and that's not gonna matter since highest value in AIC triad is taken as asset value.

Threat : Common threats are considered for a newly provisioned IT asset. i.e. Hardware failure, configuration failure, power failure, unauthorized access and many. Apart from these, threats found from VAPT will be included.

Vulnerability : It's calculated on account of likelihood of occurrence. We usually check the control gap for a respective threat and vulnerability is calculated based on likelihood.

Example : As we spoke about a DB server.

Asset value =High = 3.

Threat = unauthorized access = High = 3
Vulnerability = inadequate access control = High = 3

Hence Total risk = 27

Another example.

Asset value = High = 3

Threat = Database corrupted = High = 3

Control Implemented : Log shipping on Database is set to 60 minutes.

Vulnerability = Data loss = Medium = 2

Hence Total risk = 18

For us accepted risk value is <=9. Anything more than that, has to undergo risk treatment plan.

I know our methodology is simple. But we wish to enhance and more accurate.

Kindly share your methodology and the flaw you find in our method.


Cheers

- G

Comments

  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,667 Admin
    You only do qualitative risk assessments? How to you calculate if you would incur too much financial cost to protect a given asset?
  • astudentastudent Member Posts: 26 ■□□□□□□□□□
    grt wrote: »
    Hi all, I would like to discuss about various IT risk assessment methodologies and the methodology you prefer.

    Here's the method we follow.

    It's gonna be qualitative methodology.

    Formula to calculate risk : Risk = Asset value * Threat * Vulnerability.

    High - 3, Medium -2, Low -1

    Asset value : Highest value in AIC. (Availability, Integrity, Confidentiality)
    AIC values will be given based on the impact on loss of AIC for each asset.
    example : A Database server of critical application will be given High for all three Availability, Integrity,Confidentiality.
    whereas for a user workstation, availability will have less value and that's not gonna matter since highest value in AIC triad is taken as asset value.

    Threat : Common threats are considered for a newly provisioned IT asset. i.e. Hardware failure, configuration failure, power failure, unauthorized access and many. Apart from these, threats found from VAPT will be included.

    Vulnerability : It's calculated on account of likelihood of occurrence. We usually check the control gap for a respective threat and vulnerability is calculated based on likelihood.

    Example : As we spoke about a DB server.

    Asset value =High = 3.

    Threat = unauthorized access = High = 3
    Vulnerability = inadequate access control = High = 3

    Hence Total risk = 27

    Another example.

    Asset value = High = 3

    Threat = Database corrupted = High = 3

    Control Implemented : Log shipping on Database is set to 60 minutes.

    Vulnerability = Data loss = Medium = 2

    Hence Total risk = 18

    For us accepted risk value is <=9. Anything more than that, has to undergo risk treatment plan.

    I know our methodology is simple. But we wish to enhance and more accurate.

    Kindly share your methodology and the flaw you find in our method.


    Cheers

    - G

    Thank you for sharing your risk assessment methodology. I am confused a little bit though. For example, why do you rate both threats and vulnerability? The likelihoods that threats would exploit a vulnerability to affect an asset is the one that should be rated after threats and vulnerabilities are identified. I use the following simple formula to decide risk ranking.

    risk = likelihood * impact on asset
Sign In or Register to comment.