cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Newcomer II

Risk Assessment

Hello ISC2 Community,

I am 2 weeks into a new role leading Information Security with the initial goal of gaining SOC 2 certification.  This is a small 200+ private company with lots of work to do, developing policies, procedures, etc.  Question, is there a good Risk Assessment tool I could gain access to and use internally?  Would like to start internally prior to spending $$$ with a 3rd party.
Welcome feedback and guidance.

Thanks,

Linda

8 Replies
Highlighted
Newcomer I

Re: Risk Assessment

Hi,

There are some open source tools which can be helpfull. Most probably you could also get away with excel spreedsheet (just google for templates as there are tones of them).

https://github.com/Risk-Assessment-Framework/RiskAssessmentFramework

 

Tags (1)
Highlighted
Community Champion

Re: Risk Assessment

> Lwhite (Newcomer II) posted a new topic in Governance, Risk, Compliance on

> Hello ISC2 Community, I am 2 weeks into a new role leading Information Security
> with the initial goal of gaining SOC 2 certification.  This is a small 200+
> private company with lots of work to do, developing policies, procedures, etc. 
> Question, is there a good Risk Assessment tool I could gain access to and use
> internally?

Would start off with Allegro (cut down OCTAVE) from Carnegie Mellon:
https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=8419

See also NIST publications on the topic.

Those should start you off with a good basis at no cost ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I loved when my father made use of my mother's hands when he ran
out of useful digits on his own, during complicated
demonstrations, folding her fingers into stress coordinates, said
Avery. Years later, I remembered this habit of his and began to
wonder if my father had used other parts of my mother in private
demonstrations I never saw. I liked the idea that perhaps I was
the result of an intricate equation.
- `The Winter Vault,' Anne Michaels
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Highlighted
Community Champion

Re: Risk Assessment

@LwhiteI also love Open Source GRC products such as eramba, which you can spin up the Docker container in seconds! (here).

 

It's not much more work to build a risk management solution on your own (except for the hours you'll put into defining the structure) then it is with a commercial product. I always joke/cry that you can get commercial software nothing but a song and dance, but then you will spend the next 3 years and 4 FTEs making it actually work for your company. Caveat emptor!

Highlighted
Viewer II

Re: Risk Assessment

Hi,

I use "Airtable" for this purpose. It is a super-vitamin "excel" software that provides more dynamic views, tables, and reports. I use it in my company and so far so good. I highly recommend you.
Best
Diego
Highlighted
Newcomer II

Re: Risk Assessment

Thank you I'll take a look!

Highlighted
Newcomer II

Re: Risk Assessment

Thank you.  This will be good for later. Right now I need something very simple and then will grow.

Highlighted
Viewer II

Re: Risk Assessment

You can use a self-assesment based on ISO 27002 measures.(114)

 

Your first work, is to defined your perimiter and the exlusions.

 

Use the commitment of your management and security policie

Highlighted
Newcomer II

Re: Risk Assessment

The CIS RAM (https://learn.cisecurity.org/cis-ram) helped me get through risks assessment hurdles in the past. Last year I used this tool to get an organization ISO 27001 certified, and at my old organization it was useful in fulfilling the requirements of our SOC 2 audit.