When analyzing assets which analysis method assigns?
Show The IT Infrastructure Library (ITIL�) promotes the CCTA Risk Analysis and Management Method (CRAMM) for risk assessment. Everyone agrees managing risk is critical, yet few actually use CRAMM or any other formal system! Part of the reason for this is that CRAMM is a sophisticated software tool that requires a trained practitioner to operate. However, if you examine CRAMM, you soon realize you can obtain many of the benefits without investing in consultants or expensive software solutions. CRAMM is simply a process template for analyzing risks (threats an asset faces due to vulnerabilities) and then managing those risks through countermeasures. While CRAMM software includes over 3,000 countermeasures in its database -- something you don�t get doing CRAMM yourself -- you can still achieve sound risk assessments. Following I will explain CRAMM goals, methods, techniques and applications; then I will show how to gain many CRAMM benefits in a matter of minutes -- for very low cost. CRAMM provides a framework to calculate risk from asset values and vulnerabilities, referred to as Risk Analysis. The framework also helps you avoid, reduce, or choose to accept these risks, referred to as Risk Management. The idea is that by analyzing assets one can realize the potential damage caused by a failure in Confidentiality (unauthorized disclosure), Integrity (unauthorized modification or misuse) or Availability (destruction or loss). CRAMM supposes that it is cost prohibitive to eliminate risk; but that you can cost effectively mitigate risk by structured analysis of assets. CRAMM follows a rigid format. CRAMM:
CRAMM has three stages:
Risk Assessment comprises stage 1, and about half of stage 2; Risk Management the balance of stage 2 and stage 3. At each stage there is discussion and agreement with appropriate level management. This is where awareness builds in management of the issues. One of the most difficult aspects of risk management is justifying the costs involved, which may be very high. Traditional cost vs. benefit analysis does not work well for security, and CRAMM provides a clearer method for showing the potential cost to an organization. CRAMM also involves the entire organization (management, IT staff and Customers) in the process, creating buy-in and acceptance of the result of your assessment. The Manual CRAMM Without the CRAMM software, you can approximate a CRAMM session using some paper, pencils, office tools like spreadsheets and word processors, the knowledge of your staff, the security Incidents that have occurred, and of course, news about the latest hacker exploits. The following assessment process is based on CRAMM tenets, but does not provide the same level of detail, control, or options as the CRAMM software. On the other hand, you wont spend thousands of dollars and you will still find it capable and valuable! Figure 1 shows the results of a completed �Manual CRAMM� assessment.
Following is a 10-step plan that involves IT staff and the Business, enhances the IT infrastructure (products) and organization (people, process) security, and provides sound financial justification to the business for the expenditures required.
For a, and c above, have the data owner first choose a category for each, then a value within the category. For example, for Integrity, have them choose first from low, moderate, high and very high. Then, if they chose moderate in this case, ask them to rank the impact on a scale of 4 to 7.
The concepts of CRAMM applied via formal methods like these ensure consistent identification of risks and countermeasures, and provides cost justification for the countermeasures proposed. Even without expensive CRAMM software, you can gain powerful benefits like driving Business/IT Alignment, bringing security risks to the forefront, and assisting in the cost justification of countermeasures. --
What are the types of risk analysis?There are two main risk analysis methods. The easier and more convenient method is qualitative risk analysis. Qualitative risk analysis rates or scores risk based on perception of the severity and likelihood of its consequences. Quantitative risk analysis, on the other hand, calculates risk based on available data.
How do you identify assets for risk assessments?The best way to identify assets is to interview asset owners. The 'asset owner' is the individual or entity responsible for controlling the production, development, maintenance, use and security of an information asset. They will know how information flows through their department.
What is risk analysis process?Risk analysis is the process of identifying and analyzing potential issues that could negatively impact key business initiatives or projects. This process is done in order to help organizations avoid or mitigate those risks.
HOW DO IT assets help management in risk analysis?Asset management is all about providing the baseline for risk assessment and control. Management (not security management or information technology management) should be given the ability to know and assess risk and to assign means (resources and priorities) to mitigate that risk for the business and operations.
|