Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Lwhite
Newcomer III
‎07-08-2020 11:07 AM
‎07-08-2020 11:07 AM

Risk Assessment

Hello ISC2 Community,

I am 2 weeks into a new role leading Information Security with the initial goal of gaining SOC 2 certification.  This is a small 200+ private company with lots of work to do, developing policies, procedures, etc.  Question, is there a good Risk Assessment tool I could gain access to and use internally?  Would like to start internally prior to spending $$$ with a 3rd party.
Welcome feedback and guidance.

Thanks,

Linda

Reply
9 Replies
Wiktor
Newcomer I
‎07-08-2020 11:57 AM
‎07-08-2020 11:57 AM

Hi,

There are some open source tools which can be helpfull. Most probably you could also get away with excel spreedsheet (just google for templates as there are tones of them).

https://github.com/Risk-Assessment-Framework/RiskAssessmentFramework

 

Reply
rslade
Influencer II
‎07-08-2020 03:01 PM
‎07-08-2020 03:01 PM

> Lwhite (Newcomer II) posted a new topic in Governance, Risk, Compliance on

> Hello ISC2 Community, I am 2 weeks into a new role leading Information Security
> with the initial goal of gaining SOC 2 certification.  This is a small 200+
> private company with lots of work to do, developing policies, procedures, etc. 
> Question, is there a good Risk Assessment tool I could gain access to and use
> internally?

Would start off with Allegro (cut down OCTAVE) from Carnegie Mellon:
https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=8419

See also NIST publications on the topic.

Those should start you off with a good basis at no cost ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I loved when my father made use of my mother's hands when he ran
out of useful digits on his own, during complicated
demonstrations, folding her fingers into stress coordinates, said
Avery. Years later, I remembered this habit of his and began to
wonder if my father had used other parts of my mother in private
demonstrations I never saw. I liked the idea that perhaps I was
the result of an intricate equation.
- `The Winter Vault,' Anne Michaels
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Reply
AppDefects
Community Champion
‎07-08-2020 03:03 PM
‎07-08-2020 03:03 PM

@LwhiteI also love Open Source GRC products such as eramba, which you can spin up the Docker container in seconds! (here).

 

It's not much more work to build a risk management solution on your own (except for the hours you'll put into defining the structure) then it is with a commercial product. I always joke/cry that you can get commercial software nothing but a song and dance, but then you will spend the next 3 years and 4 FTEs making it actually work for your company. Caveat emptor!

Reply
DiegoRojas
Viewer II
‎07-09-2020 09:55 AM
‎07-09-2020 09:55 AM

Hi,

I use "Airtable" for this purpose. It is a super-vitamin "excel" software that provides more dynamic views, tables, and reports. I use it in my company and so far so good. I highly recommend you.
Best
Diego
Reply
Lwhite
Newcomer III
‎07-14-2020 01:20 PM
‎07-14-2020 01:20 PM

Thank you I'll take a look!

Reply
0 Kudos
Lwhite
Newcomer III
‎07-14-2020 01:21 PM
‎07-14-2020 01:21 PM

Thank you.  This will be good for later. Right now I need something very simple and then will grow.

Reply
0 Kudos
Benabdelmoumene
Viewer II
‎08-11-2020 06:51 AM
‎08-11-2020 06:51 AM

You can use a self-assesment based on ISO 27002 measures.(114)

 

Your first work, is to defined your perimiter and the exlusions.

 

Use the commitment of your management and security policie

Reply
BillyAnglin
Newcomer II
‎08-15-2020 10:53 PM
‎08-15-2020 10:53 PM

The CIS RAM (https://learn.cisecurity.org/cis-ram) helped me get through risks assessment hurdles in the past. Last year I used this tool to get an organization ISO 27001 certified, and at my old organization it was useful in fulfilling the requirements of our SOC 2 audit. 

Reply
nn4370
Viewer II
‎11-07-2021 09:27 PM
‎11-07-2021 09:27 PM

HI DiegoRojas
I am new to a role in Security Risk and Compliance and have been asked to use Airtable for a Risk Register, is this something you would be willing to share on how it works for you? I havent used Airtable before. I am happy to setup a meeting with you if you are willing? Thanks Nicole
Reply
0 Kudos