topic Re: Risk Assessment in Governance, Risk, Compliance

Risk Assessment

Lwhite — Mon, 09 Oct 2023 09:34:03 GMT

Hello ISC2 Community,

I am 2 weeks into a new role leading Information Security with the initial goal of gaining SOC 2 certification. This is a small 200+ private company with lots of work to do, developing policies, procedures, etc. Question, is there a good Risk Assessment tool I could gain access to and use internally? Would like to start internally prior to spending $$$ with a 3rd party.
Welcome feedback and guidance.

Thanks,

Linda

Re: Risk Assessment

Wiktor — Wed, 08 Jul 2020 15:57:35 GMT

Hi,

There are some open source tools which can be helpfull. Most probably you could also get away with excel spreedsheet (just google for templates as there are tones of them).

https://github.com/Risk-Assessment-Framework/RiskAssessmentFramework

Re: Risk Assessment

rslade — Wed, 08 Jul 2020 19:01:40 GMT

> Lwhite (Newcomer II) posted a new topic in Governance, Risk, Compliance on

> Hello ISC2 Community, I am 2 weeks into a new role leading Information Security
> with the initial goal of gaining SOC 2 certification.Â This is a small 200+
> private company with lots of work to do, developing policies, procedures, etc.Â
> Question, is there a good Risk Assessment tool I could gain access to and use
> internally?

Would start off with Allegro (cut down OCTAVE) from Carnegie Mellon:
https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=8419

See also NIST publications on the topic.

Those should start you off with a good basis at no cost ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I loved when my father made use of my mother's hands when he ran
out of useful digits on his own, during complicated
demonstrations, folding her fingers into stress coordinates, said
Avery. Years later, I remembered this habit of his and began to
wonder if my father had used other parts of my mother in private
demonstrations I never saw. I liked the idea that perhaps I was
the result of an intricate equation.
- `The Winter Vault,' Anne Michaels
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: Risk Assessment

AppDefects — Wed, 08 Jul 2020 19:03:52 GMT

@LwhiteI also love Open Source GRC products such as eramba, which you can spin up the Docker container in seconds! (here).

It's not much more work to build a risk management solution on your own (except for the hours you'll put into defining the structure) then it is with a commercial product. I always joke/cry that you can get commercial software nothing but a song and dance, but then you will spend the next 3 years and 4 FTEs making it actually work for your company. Caveat emptor!

Re: Risk Assessment

DiegoRojas — Thu, 09 Jul 2020 13:55:58 GMT

Hi,

I use "Airtable" for this purpose. It is a super-vitamin "excel" software that provides more dynamic views, tables, and reports. I use it in my company and so far so good. I highly recommend you.
Best
Diego

Re: Risk Assessment

Lwhite — Tue, 14 Jul 2020 17:20:52 GMT

Thank you I'll take a look!

Re: Risk Assessment

Lwhite — Tue, 14 Jul 2020 17:21:49 GMT

Thank you. This will be good for later. Right now I need something very simple and then will grow.

Re: Risk Assessment

Benabdelmoumene — Tue, 11 Aug 2020 10:51:38 GMT

You can use a self-assesment based on ISO 27002 measures.(114)

Your first work, is to defined your perimiter and the exlusions.

Use the commitment of your management and security policie

Re: Risk Assessment

BillyAnglin — Sun, 16 Aug 2020 02:53:33 GMT

The CIS RAM (https://learn.cisecurity.org/cis-ram) helped me get through risks assessment hurdles in the past. Last year I used this tool to get an organization ISO 27001 certified, and at my old organization it was useful in fulfilling the requirements of our SOC 2 audit.

Re: Risk Assessment

nn4370 — Mon, 08 Nov 2021 02:27:08 GMT

HI DiegoRojas
I am new to a role in Security Risk and Compliance and have been asked to use Airtable for a Risk Register, is this something you would be willing to share on how it works for you? I havent used Airtable before. I am happy to setup a meeting with you if you are willing? Thanks Nicole