Tuesday, May 24, 2005

New Age Risk Assessments

It would seem that clients are turning their backs on the Risk Assessment as we know it. And it probably makes sense. The security landscape has changed much in the three years since the original detailed risk assessment was conceived, and turned into months long, $250K engagements by the big consulting firms to produce a 300 page report that nobody followed up on and had a shelf life of 3 months.
As a starter, the threats are better known and the proliferation of malicious code and worms pretty much guarantees your 100% probablity of being impacted by certain types of incidents. Current thinking, as embodied in various standards and industry-specific regulations, implies a holistic approach to risk management that comprises technical, operational, and administrative controls and the required assessments to establish their efficacy in managing the organization’s information technology (IT) risks.The results of various methods of risk analysis in common use in IT systems today are suspect because the source data and assumptions upon which their conclusions are based is subjective and may be flawed and inconsistent. The results of various vulnerability and penetration assessments are of limited value because they are based upon the assumption that all possible vulnerabilities can be known and tested for, clearly not a possibility.

Customers are turning to new-age methodologies such as FARES (Formal Analysis of Risk in Enterprise Systems) and OCTAVE from Carnegie Mellon University's Software Engineering Institute.

OCTAVE helps companies identify infrastructure vulnerabilities, prioritize information assets and create asset-specific threat profiles and mitigation plans. FARES introduces a novel technique that manages risks to an enterprise in terms of how well hardened, technically, operationally and administratively, the enterprise is against attack. Using the concept of formal analysis of communications channels between security policy domains, the Forensic Analysis of Risks in Enterprise Systems (FARES) process addresses threats, vulnerabilities, impacts and countermeasures from the perspective of forensic analysis of target enterprises responding to various threat models.

The intent is to use a rapid, more simplified methodology to fascilitate the adoption of security as a operational risk management issue, not as a tactical function.

For inof on OCTAVE, follow the topic link. For info on FARES follow this link: http://www.secureworldexpo.com/events/conference-details.php?cid=234
Rate this post: (Provided by NewsGator)


Post a Comment

Links to this post:

Create a Link

<< Home