Risk Management Blog

Risk Assessment Methodology Update

rybolov — Wed, 11 Jul 2007 11:28:00 GMT

With a couple of volunteers, work on the RA Methodology has been moving forward. I spent some of the last week working on the front and back of it, adding in the niceties like the license snippet, links to other risk assessment/management guides, etc.

While I can crank out the various sections myself, I would like a couple more volunteers to help out, especially people who will "adopt" one of the following sections and commit to getting it to 75% done:

Determine Threats
Determine Countermeasures
Determine Vulnerabilities
Determine Risk

I've found that with more people working on the document, it gets a very different flavor than if there is one sole author.

Until next time

--Rybolov

Getting Back on the Horse

rybolov — Fri, 22 Jun 2007 02:25:00 GMT

"First we said it was too cold and that the fish were not feeding. Then we said it was too sunny and the fish were scared. Then we discovered that the fish had gone elsewhere. When we found the fish, we started casting to them with nice juicy baitfish flies."

So also is the story of the ISM Community Risk Assessment Methodology. After more than a few false-starts (Curphey changing the server platform, some flirtation with FAIR, almost scoring a free methodology to have and to hold, the apparent ADHD of the project lead), we are continuing down the merry path of creating our own risk assessment methodology.

Now that we're back to casting for trout, I would like to issue an Internet-wide call for volunteers. What I'm looking for is about a dozen people who know Risk Assessment and simultaneously know how to write well.

Really the methodology consists of several parts:

A document that describes the process (partially started)
A set of artifacts to assist in the process such as inventory spreadsheets and a risk register (partially done)
Reference implementations where we take the process and test it out (not yet, we need the process first)
References and similar projects
Glossary
Foo

I have a handy-dandy spreadsheet to track status. If you are interested in helping out, go to the RA forum at http://www.ism-community.org/forums/t/564.aspx (it's broken right now, I tried to upload the spreadsheet and it bombed out on me) or shoot me an email with a description of what you would like to help out with.

Cheers
--Mike

State of Risk Management in ISM-Community

rybolov — Wed, 02 May 2007 15:50:00 GMT

ISM-Community was originally created and the steering committee formed in Fall of 2006. During that time, one of our key activities was to come up with a list of projects that were worthwhile, and that list became somewhat of a direction for us to move in.

One of the first priorities has been to develop a risk assessment methodology. Me being of a US Government mindset, my first question was "What's wrong with NIST SP 800-30?" Well, 800-30 is a good start, but like I've said before, there are some things such as templates, examples, and suggestions that NIST can't give you because then all the auditors take it as gospel/doctrine instead of implementation technique. We want to bridge that gap.

We traveled down the RA Methodology road over the past 6 months or so and due to a handful of factors, mostly time constraints (find me a security person worth anything at all and they're up to their eyeballs in projects) and a couple of false paths we've gone down (FAIR was a good one, but we had a philosophy/licensing issue), the project has stuttered.

What remains to be done? Well, this is my roadmap for the near- to moderate-term future:

Finish off the remaining RA Methodology sections
Creation of artifacts/templates/examples to support the methodology
Field-testing to validate the methodology

At some point, the artifacts will suffer from scope-creep as they become a set of ISM . That's OK.

In true NPO form, I'm asking for volunteers who can help out. The first step is to look at the existing incarnation of the RA Methodology and make recommendations.