cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Lwhite
Newcomer III

Risk Assessment

Hello ISC2 Community,

I am 2 weeks into a new role leading Information Security with the initial goal of gaining SOC 2 certification.  This is a small 200+ private company with lots of work to do, developing policies, procedures, etc.  Question, is there a good Risk Assessment tool I could gain access to and use internally?  Would like to start internally prior to spending $$$ with a 3rd party.
Welcome feedback and guidance.

Thanks,

Linda

9 Replies
Wiktor
Newcomer I

Hi,

There are some open source tools which can be helpfull. Most probably you could also get away with excel spreedsheet (just google for templates as there are tones of them).

https://github.com/Risk-Assessment-Framework/RiskAssessmentFramework

 

rslade
Influencer II

> Lwhite (Newcomer II) posted a new topic in Governance, Risk, Compliance on

> Hello ISC2 Community, I am 2 weeks into a new role leading Information Security
> with the initial goal of gaining SOC 2 certification.  This is a small 200+
> private company with lots of work to do, developing policies, procedures, etc. 
> Question, is there a good Risk Assessment tool I could gain access to and use
> internally?

Would start off with Allegro (cut down OCTAVE) from Carnegie Mellon:
https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=8419

See also NIST publications on the topic.

Those should start you off with a good basis at no cost ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I loved when my father made use of my mother's hands when he ran
out of useful digits on his own, during complicated
demonstrations, folding her fingers into stress coordinates, said
Avery. Years later, I remembered this habit of his and began to
wonder if my father had used other parts of my mother in private
demonstrations I never saw. I liked the idea that perhaps I was
the result of an intricate equation.
- `The Winter Vault,' Anne Michaels
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
AppDefects
Community Champion

@LwhiteI also love Open Source GRC products such as eramba, which you can spin up the Docker container in seconds! (here).

 

It's not much more work to build a risk management solution on your own (except for the hours you'll put into defining the structure) then it is with a commercial product. I always joke/cry that you can get commercial software nothing but a song and dance, but then you will spend the next 3 years and 4 FTEs making it actually work for your company. Caveat emptor!

DiegoRojas
Viewer II

Hi,

I use "Airtable" for this purpose. It is a super-vitamin "excel" software that provides more dynamic views, tables, and reports. I use it in my company and so far so good. I highly recommend you.
Best
Diego
Lwhite
Newcomer III

Thank you I'll take a look!

Lwhite
Newcomer III

Thank you.  This will be good for later. Right now I need something very simple and then will grow.

Benabdelmoumene
Viewer II

You can use a self-assesment based on ISO 27002 measures.(114)

 

Your first work, is to defined your perimiter and the exlusions.

 

Use the commitment of your management and security policie

BillyAnglin
Newcomer II

The CIS RAM (https://learn.cisecurity.org/cis-ram) helped me get through risks assessment hurdles in the past. Last year I used this tool to get an organization ISO 27001 certified, and at my old organization it was useful in fulfilling the requirements of our SOC 2 audit. 

nn4370
Viewer II

HI DiegoRojas
I am new to a role in Security Risk and Compliance and have been asked to use Airtable for a Risk Register, is this something you would be willing to share on how it works for you? I havent used Airtable before. I am happy to setup a meeting with you if you are willing? Thanks Nicole