I have used risk analysis software back since 1994. RiskWatch was a global leader in providing Risk Assessment Software Solutions and Consultation across numerous industries. We used it in the Venezuelan National Oil Company maninly for physical security risks.? Benefits of using the software as opposed to an excel worksheet is the knowledge that it carries for analysis.
I have had my eye on Eramba for quite some time, http://www.eramba.org/
Not had the opportunity to use it yet but it does cover a lot of pain points regarding processes and risk management. The biggest hurdle I see is that it tries to do too much, meaning that implementing it company wide is nearly impossible because there are usually other solutions already running. I see it more like a management tool for Security and Compliance.
You could try FAIR (https://en.wikipedia.org/wiki/Factor_analysis_of_information_risk)
Here is a link to the FAIR website, tool and learning materials (http://www.fairinstitute.org/learn-fair )
I am still baffled by the term risk analysis in terms of the role.
Lets take an example I am techie,we deployout a web server to allow users to access their services. An architect may come to me and say how do we ensure that the services are available when the business needs it. I might say well
1. For high availability you are going to need multiple web servers to remove a single point of failure
2. It would make sense to deploy an intelligent device such as an F5 or load balancer for the purposes of assigning the requests across multiple servers and to report on web servers that might go down or fail.
3. We might need to scaleout out to ensure that we have adequate load should one of the servers go down.
4. We need to install SSL certificates on the load balancer to ensure traffic is encrypted
5. All servers would need to part of the EPO to ensure virus protection
The above 5points cover CIA. My question if the techie has done all the leg work where does the risk analysis fit in all of this ?
Nice question!! may i start by stating clearly what risk analysis aim to achieve in every aspect of a business. Risk analysis is the review of the risks associated with a particular event or action. It helps identify potential threats and the impact it may have to the organization. Risk analysis could either be qualitative or quantitative.
Quantitative risk analysis measures expected risk probability to forecast estimated financial losses from potential risks. Qualitative risk analysis reviews threats, and determines or establishes risk mitigation methods and solutions.
Therefore, from the list of solutions the techie guy has enumerated, they only belong to the IT Security controls that must be put in place to mitigate potential risk.
The point here is this: why do you need to have high availability on the servers, SSL certificates installed for encryption, load balancing, etc, if these were not to address a security threat? obviously there must have been a particular (or some)threats that these controls will try to eliminate.By assessing these identified threats as well as the impact such will have on the business if eventually it occurs is what matters to the management of the business not just the technology in place. Also, risk analysis is also needed because you need to review if the controls in place can still mitigate other similar threats in the couple of years.to come. Threats to CIA keeps emerging daily with the rise in cyber related attacks. So,reviewing your security infrastructure resilience (part of risk analysis) is what helps keeps you a bit ahead of the possible risk your business may face in the future. From my own experience, risk analysis is needed to help curb or check control gaps for the techie guy to close up. Remember that your risk analysis would be documented as a form of report to the board of the organization( especially the non techie members) for them to see how the IT risks may play a significant impact on the Enterprise Risk. How would they have that clear visibility if there are no risk analysis conducted?
All good responses to my question. Thanks for the replies.
First of all apologies in advance if you feel I am putting you onthe spotlight. Its only because I need a better understanding of risk. Especially how it relates to the real world.
What do you mean by Enterprise Risk ?
Say senior management have said that the website. Has to have all the required controls in place to ensure that services are available 24x7. If the website were to go down it could incur a huge loss of £XXXXX per hour. Due to workers unable to process payments.
What would your say be in this ?. Would you come back to me the technie and ask these questions from technical standpoint ?. Then translate this techie klingon language to what management can understand ?