topic Re: Risk Analysis Software in Member Support

Risk Analysis Software

ChickenCurry — Wed, 25 Oct 2017 12:10:46 GMT

I have noticed that alot of people talk about using risk analysis software. Has anyone used risk analysis software, if so which specific packages have you used and why ?. What are the benefits of using the software as oppose to an excel worksheet ?.

Best wishes

Curran

Re: Risk Analysis Software

sdaher — Wed, 25 Oct 2017 18:22:27 GMT

Hi, I used a system called Rsam which is by far more efficient then excel worksheet for the following reasons:

- centralized system to handle risks and all its related information

- integrated workflow system (assign, set deadline, exception, notifications)

- simplify the follow up

- reporting (in excel worksheet format, pdf, charts with nice visual graphs)

- open system which can be useful to integrate process such as exception requests from other systems

I personally enjoyed working on Rsam vs traditional excel worksheets.

Just to add that Rsam is not specifically a Risk Analysis Software but a complete Enterprise Governance, Risk and Compliance solution.

Re: Risk Analysis Software

EkanemPhilip — Thu, 26 Oct 2017 09:27:15 GMT

Hi,

Is this Rsam Software available for free download?

Regards

@sdaher wrote:
Hi, I used a system called Rsam which is by far more efficient then excel worksheet for the following reasons:
- centralized system to handle risks and all its related information
- integrated workflow system (assign, set deadline, exception, notifications)
- simplify the follow up
- reporting (in excel worksheet format, pdf, charts with nice visual graphs)
- open system which can be useful to integrate process such as exception requests from other systems
I personally enjoyed working on Rsam vs traditional excel worksheets.
Just to add that Rsam is not specifically a Risk Analysis Software but a complete Enterprise Governance, Risk and Compliance solution.

Re: Risk Analysis Software

RobN — Thu, 26 Oct 2017 09:39:26 GMT

Hi ChickenCurry,

It sounds like you want to do a PoC of something to see if it works? You won't typically find anything that does risk management for free. There are some great tools out there - RSA Archer, 3GRC, RSAM, but they are all commercial and typically work for different sized environments, or for different problems.

Archer is a beast, huge and sprawling, with the right data in the right places it is incredibly powerful, but it takes a LOT of putting together, which typically means consultancy for RSA. Good for large enterprises.

3GRC is nimbler, originally dedicated to 3rd party assessments, but now developed into an enterprise toolset, feature set is growing all the time. Can be implemented relatively quickly and grown over time, but also required consultancy to install properly.

RSAM I don't know, but looks good, might check it out...

At the end of the day, you will need to pay for something if it's not an Excel spreadsheet. sdaher is right about the benefits of the software though - once you get to multiple assets, multiple applications running on those (shared) assets, and multiple business processes running over the top of it all, it's impossible to track on a spreadsheet, you need a relational database to hold it all and represent what you are trying to see from the various different angles - you want to see the same risk as it pertains to the business, system owners and IT.

Rob.

Re: Risk Analysis Software

ChickenCurry — Thu, 26 Oct 2017 12:32:05 GMT

Rob, the truth is I want to understand what risk software is out there and whether its worth investing time and effort learning a specific package. Being someone who comes from a virtualisation, windows background. Risk Analysis is a new area for me.

My only exposure in the real world has been raising change management requests to deploy a new piece of software or a server to the production environment. That did involve running a risk matrix as a part of the change. This was more qualitative then quantitative.

Apart from whats taught on the CISSP syllabus. I want to understand what people use out there to carry out risk analysis.

Best Wishes

Curran

Re: Risk Analysis Software

ChickenCurry — Thu, 26 Oct 2017 12:33:41 GMT

Did you have to undergo any specific training to use Rsam ?

Re: Risk Analysis Software

RobN — Thu, 26 Oct 2017 12:40:52 GMT

Hi Curran,

OK, that makes sense, but in truth there is no substitute for experience when it comes to risk management - it is as much an art as a science. Don't look at software for your answers, look at some of the methodologies out there - IRAM2 (free to download if you are a member of the ISF), IS1/2 (now deprecated government risk methodology, even the old style maturity assessments like IAMM and CRAMM have some worth. At a high level risk management is about looking at your environment, looking at what threats there are to it, the vulnerabilities that are inherent in it and making a judgment as to whether a threat can compromise a vulnerability. That gives you your risk. If you can quantify it somehow, then you can prioritise one risk over another. If you can get the business to set a risk appetite, you know when risks need to be treated and when you can accept them, also when risks aggregate to become unacceptable.

There are multiple layers to it as you can probably tell.

I'm currently taking IRAM2 and trying to integrate it into the business. ISF has a control framework which does this, but doesn't implement it in IRAM2, so we've (I have a colleague running it in BAU) bashing the 2 together and adding another layer above the technical context, i.e. business context, which helps show where the threats to the business. We're hoping to turn it into an enterprise risk/benefit communication tool. We are also implementing it within Archer, which is taking a long time.

Rob.

Re: Risk Analysis Software

ChickenCurry — Thu, 26 Oct 2017 12:56:59 GMT

Rob you have hit the nail on the head . Indeed its much of an art as it is a science and no piece of software can substitute developing that specific skillset. As you suggested will have alook at the IAMM and CRAMM.

Many thanks

Re: Risk Analysis Software

mwapemble — Thu, 26 Oct 2017 15:01:17 GMT

Honestly, don't go anywhere CRAMM. You'll spend all your time driving the tool and none actually doing risk assessment.

It was one of these methodologies that simply got too big and complex to be practical in any reasonable environment.

Re: Risk Analysis Software

RobN — Thu, 26 Oct 2017 15:08:34 GMT

That could be argued of any of them really. IRAM2 is horrible if you pick a detailed control set, or put too many assets in. You get out what you put in...

Re: Risk Analysis Software

JLUGO — Sun, 29 Oct 2017 22:57:50 GMT

I have used risk analysis software back since 1994. RiskWatch was a global leader in providing Risk Assessment Software Solutions and Consultation across numerous industries. We used it in the Venezuelan National Oil Company maninly for physical security risks.? Benefits of using the software as opposed to an excel worksheet is the knowledge that it carries for analysis.

Best regards,

Jesús

Re: Risk Analysis Software

Elvar — Mon, 30 Oct 2017 10:12:16 GMT

I have had my eye on Eramba for quite some time, http://www.eramba.org/

Not had the opportunity to use it yet but it does cover a lot of pain points regarding processes and risk management. The biggest hurdle I see is that it tries to do too much, meaning that implementing it company wide is nearly impossible because there are usually other solutions already running. I see it more like a management tool for Security and Compliance.

Re: Risk Analysis Software

HMajek — Mon, 30 Oct 2017 10:22:45 GMT

You could try FAIR (https://en.wikipedia.org/wiki/Factor_analysis_of_information_risk)

Here is a link to the FAIR website, tool and learning materials (http://www.fairinstitute.org/learn-fair )

Enjoy.

Re: Risk Analysis Software

ChickenCurry — Thu, 02 Nov 2017 17:43:25 GMT

I am still baffled by the term risk analysis in terms of the role.

Lets take an example I am techie,we deployout a web server to allow users to access their services. An architect may come to me and say how do we ensure that the services are available when the business needs it. I might say well

1. For high availability you are going to need multiple web servers to remove a single point of failure

2. It would make sense to deploy an intelligent device such as an F5 or load balancer for the purposes of assigning the requests across multiple servers and to report on web servers that might go down or fail.

3. We might need to scaleout out to ensure that we have adequate load should one of the servers go down.

4. We need to install SSL certificates on the load balancer to ensure traffic is encrypted

5. All servers would need to part of the EPO to ensure virus protection

The above 5points cover CIA. My question if the techie has done all the leg work where does the risk analysis fit in all of this ?

Regards

Curran

Re: Risk Analysis Software

Elvar — Thu, 02 Nov 2017 20:10:38 GMT

The risk analysis looks at the system itself, the solutions you listed are in place to manage the identified risks.

For example availability is perhaps classed as important to the system. Setting up a load balancer in front of multiple web servers would lower the availability risk.

Re: Risk Analysis Software

EkanemPhilip — Thu, 02 Nov 2017 22:38:21 GMT

Hi Curran,

Nice question!! may i start by stating clearly what risk analysis aim to achieve in every aspect of a business. Risk analysis is the review of the risks associated with a particular event or action. It helps identify potential threats and the impact it may have to the organization. Risk analysis could either be qualitative or quantitative.

Quantitative risk analysis measures expected risk probability to forecast estimated financial losses from potential risks. Qualitative risk analysis reviews threats, and determines or establishes risk mitigation methods and solutions.

Therefore, from the list of solutions the techie guy has enumerated, they only belong to the IT Security controls that must be put in place to mitigate potential risk.

The point here is this: why do you need to have high availability on the servers, SSL certificates installed for encryption, load balancing, etc, if these were not to address a security threat? obviously there must have been a particular (or some)threats that these controls will try to eliminate.By assessing these identified threats as well as the impact such will have on the business if eventually it occurs is what matters to the management of the business not just the technology in place. Also, risk analysis is also needed because you need to review if the controls in place can still mitigate other similar threats in the couple of years.to come. Threats to CIA keeps emerging daily with the rise in cyber related attacks. So,reviewing your security infrastructure resilience (part of risk analysis) is what helps keeps you a bit ahead of the possible risk your business may face in the future. From my own experience, risk analysis is needed to help curb or check control gaps for the techie guy to close up. Remember that your risk analysis would be documented as a form of report to the board of the organization( especially the non techie members) for them to see how the IT risks may play a significant impact on the Enterprise Risk. How would they have that clear visibility if there are no risk analysis conducted?

Regards

Philip

Re: Risk Analysis Software

ChickenCurry — Fri, 03 Nov 2017 05:48:14 GMT

Guys.

All good responses to my question. Thanks for the replies.

Philip,

First of all apologies in advance if you feel I am putting you onthe spotlight. Its only because I need a better understanding of risk. Especially how it relates to the real world.

What do you mean by Enterprise Risk ?

Say senior management have said that the website. Has to have all the required controls in place to ensure that services are available 24x7. If the website were to go down it could incur a huge loss of £XXXXX per hour. Due to workers unable to process payments.

What would your say be in this ?. Would you come back to me the technie and ask these questions from technical standpoint ?. Then translate this techie klingon language to what management can understand ?

Best Wishes

Curran

Re: Risk Analysis Software

BillyAnglin — Thu, 31 Jan 2019 01:45:51 GMT

Did you ever get a chance to check out Eramba?

Re: Risk Analysis Software

JLUGO — Thu, 31 Jan 2019 11:59:04 GMT

Didn't have the chance.