I have noticed that alot of people talk about using risk analysis software. Has anyone used risk analysis software, if so which specific packages have you used and why ?. What are the benefits of using the software as oppose to an excel worksheet ?.
Best wishes
Curran
Hi, I used a system called Rsam which is by far more efficient then excel worksheet for the following reasons:
- centralized system to handle risks and all its related information
- integrated workflow system (assign, set deadline, exception, notifications)
- simplify the follow up
- reporting (in excel worksheet format, pdf, charts with nice visual graphs)
- open system which can be useful to integrate process such as exception requests from other systems
I personally enjoyed working on Rsam vs traditional excel worksheets.
Just to add that Rsam is not specifically a Risk Analysis Software but a complete Enterprise Governance, Risk and Compliance solution.
Hi,
Is this Rsam Software available for free download?
Regards
@sdaher wrote:Hi, I used a system called Rsam which is by far more efficient then excel worksheet for the following reasons:
- centralized system to handle risks and all its related information
- integrated workflow system (assign, set deadline, exception, notifications)
- simplify the follow up
- reporting (in excel worksheet format, pdf, charts with nice visual graphs)
- open system which can be useful to integrate process such as exception requests from other systems
I personally enjoyed working on Rsam vs traditional excel worksheets.
Just to add that Rsam is not specifically a Risk Analysis Software but a complete Enterprise Governance, Risk and Compliance solution.
Hi ChickenCurry,
It sounds like you want to do a PoC of something to see if it works? You won't typically find anything that does risk management for free. There are some great tools out there - RSA Archer, 3GRC, RSAM, but they are all commercial and typically work for different sized environments, or for different problems.
Archer is a beast, huge and sprawling, with the right data in the right places it is incredibly powerful, but it takes a LOT of putting together, which typically means consultancy for RSA. Good for large enterprises.
3GRC is nimbler, originally dedicated to 3rd party assessments, but now developed into an enterprise toolset, feature set is growing all the time. Can be implemented relatively quickly and grown over time, but also required consultancy to install properly.
RSAM I don't know, but looks good, might check it out...
At the end of the day, you will need to pay for something if it's not an Excel spreadsheet. sdaher is right about the benefits of the software though - once you get to multiple assets, multiple applications running on those (shared) assets, and multiple business processes running over the top of it all, it's impossible to track on a spreadsheet, you need a relational database to hold it all and represent what you are trying to see from the various different angles - you want to see the same risk as it pertains to the business, system owners and IT.
Rob.
Rob, the truth is I want to understand what risk software is out there and whether its worth investing time and effort learning a specific package. Being someone who comes from a virtualisation, windows background. Risk Analysis is a new area for me.
My only exposure in the real world has been raising change management requests to deploy a new piece of software or a server to the production environment. That did involve running a risk matrix as a part of the change. This was more qualitative then quantitative.
Apart from whats taught on the CISSP syllabus. I want to understand what people use out there to carry out risk analysis.
Best Wishes
Curran
Did you have to undergo any specific training to use Rsam ?
Hi Curran,
OK, that makes sense, but in truth there is no substitute for experience when it comes to risk management - it is as much an art as a science. Don't look at software for your answers, look at some of the methodologies out there - IRAM2 (free to download if you are a member of the ISF), IS1/2 (now deprecated government risk methodology, even the old style maturity assessments like IAMM and CRAMM have some worth. At a high level risk management is about looking at your environment, looking at what threats there are to it, the vulnerabilities that are inherent in it and making a judgment as to whether a threat can compromise a vulnerability. That gives you your risk. If you can quantify it somehow, then you can prioritise one risk over another. If you can get the business to set a risk appetite, you know when risks need to be treated and when you can accept them, also when risks aggregate to become unacceptable.
There are multiple layers to it as you can probably tell.
I'm currently taking IRAM2 and trying to integrate it into the business. ISF has a control framework which does this, but doesn't implement it in IRAM2, so we've (I have a colleague running it in BAU) bashing the 2 together and adding another layer above the technical context, i.e. business context, which helps show where the threats to the business. We're hoping to turn it into an enterprise risk/benefit communication tool. We are also implementing it within Archer, which is taking a long time.
Rob.
Rob you have hit the nail on the head . Indeed its much of an art as it is a science and no piece of software can substitute developing that specific skillset. As you suggested will have alook at the IAMM and CRAMM.
Many thanks
Honestly, don't go anywhere CRAMM. You'll spend all your time driving the tool and none actually doing risk assessment.
It was one of these methodologies that simply got too big and complex to be practical in any reasonable environment.
That could be argued of any of them really. IRAM2 is horrible if you pick a detailed control set, or put too many assets in. You get out what you put in...