Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


How to structure an overall security risk assessment?

Posted on 2003-02-20
Medium Priority
Last Modified: 2012-03-15

I was just asked to conduct an overall, not a detailed, IS security risk assessment.  I'm looking for some references in risk asessment and reporting (not risk mitigation). This includes establishing risk and impact criteria / definitions (e.g., "High" means ...), a way to assess, prioritize and report risks, etc.  

I've done detailed risk assessments and security analysis, so I'm comfortable with the detailed aspect.  I'm more looking for advise on how to structure and frame the detailed results and high-level observations into a management framework  My audience is CIO level at 10,000 employee firm.

I plan to look at the CERT and CISSP sites.  Any other suggestions for places to pick up ideas?

Thank you!
Question by:Al_S
LVL 14

Accepted Solution

chris_calabrese earned 152 total points
ID: 7988788
This is a very difficult question to answer, because the kinds of things you want to look at for a high-level assessment are very different than for a technical assessmt. In particular, you'll have to look at Legal issues and Systemic policy/procedure issues.

Indeed, you should not even have things like the definition of 'High' because you should never say 'High'. You should say 'Annualized Loss Expectancy' and 'Cost to remediate vs. cost to insure against'

I don't think the CERT site has much that's at this high a level.

And the ISC2 site (home of the CISSP certification) has very little for free (though a lot if you're willing to pay).

There's _some_ stuff about this on the SANS website (www.sans.org). Other sites to check out are http://www.itsec.gov.uk/ and http://www.cerias.purdue.edu/coast/coast.html.

Assisted Solution

spreston earned 148 total points
ID: 7988928
Having done countless of them myself (although they're generally Security Reviews or Threat and Risk Assessments) most reports I've put together cater to rather broad audiences, simply because although your ultimate target may be the CIO, he'll likely pass the report around to others who may require a lot more meat.

Although I agree with Chris that illustrating risks based on loss expectancy can be effective, there are ways to use High, Med, Low in a report, and personally, I'd recommend it.  Upper management, in my experience, like things very cut and dry with the ability to contrast between two different options.  Properly defining L/M/H or using "accepted industry standards", especially where risk is concerned, is very valuable.  Ultimately, you know your audience, whether they will be more persuaded by dollar figures or defined risk categories.

You can probably find a lot of what you're looking for by doing Google searches for "Security Review" or "TRA" and combine useful parts of both.  If you're in dire need, I could also cleanse one of my reports for you, to get you started.


Shawn Preston, CISSP
Founder, SecureThinking

"Where Information Security Evolves"


Expert Comment

ID: 9816086
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

SPLIT: chris_calabrese{7988788} & spreston{7988928}

Please leave any comments here within the next seven days.

EE Page Editor

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ITIL has an elaborate incident management framework. This article serves as a starter for those who'd like to know more or need to suss out the baseline elements in a typical incident response execution plan on the "need to have" and the "good to ha…
With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question