How to structure an overall security risk assessment?

Posted on 2003-02-20
Medium Priority
Last Modified: 2012-03-15

I was just asked to conduct an overall, not a detailed, IS security risk assessment.  I'm looking for some references in risk asessment and reporting (not risk mitigation). This includes establishing risk and impact criteria / definitions (e.g., "High" means ...), a way to assess, prioritize and report risks, etc.  

I've done detailed risk assessments and security analysis, so I'm comfortable with the detailed aspect.  I'm more looking for advise on how to structure and frame the detailed results and high-level observations into a management framework  My audience is CIO level at 10,000 employee firm.

I plan to look at the CERT and CISSP sites.  Any other suggestions for places to pick up ideas?

Thank you!
Question by:Al_S
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 14

Accepted Solution

chris_calabrese earned 152 total points
ID: 7988788
This is a very difficult question to answer, because the kinds of things you want to look at for a high-level assessment are very different than for a technical assessmt. In particular, you'll have to look at Legal issues and Systemic policy/procedure issues.

Indeed, you should not even have things like the definition of 'High' because you should never say 'High'. You should say 'Annualized Loss Expectancy' and 'Cost to remediate vs. cost to insure against'

I don't think the CERT site has much that's at this high a level.

And the ISC2 site (home of the CISSP certification) has very little for free (though a lot if you're willing to pay).

There's _some_ stuff about this on the SANS website (www.sans.org). Other sites to check out are http://www.itsec.gov.uk/ and http://www.cerias.purdue.edu/coast/coast.html.

Assisted Solution

spreston earned 148 total points
ID: 7988928
Having done countless of them myself (although they're generally Security Reviews or Threat and Risk Assessments) most reports I've put together cater to rather broad audiences, simply because although your ultimate target may be the CIO, he'll likely pass the report around to others who may require a lot more meat.

Although I agree with Chris that illustrating risks based on loss expectancy can be effective, there are ways to use High, Med, Low in a report, and personally, I'd recommend it.  Upper management, in my experience, like things very cut and dry with the ability to contrast between two different options.  Properly defining L/M/H or using "accepted industry standards", especially where risk is concerned, is very valuable.  Ultimately, you know your audience, whether they will be more persuaded by dollar figures or defined risk categories.

You can probably find a lot of what you're looking for by doing Google searches for "Security Review" or "TRA" and combine useful parts of both.  If you're in dire need, I could also cleanse one of my reports for you, to get you started.


Shawn Preston, CISSP
Founder, SecureThinking

"Where Information Security Evolves"


Expert Comment

ID: 9816086
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

SPLIT: chris_calabrese{7988788} & spreston{7988928}

Please leave any comments here within the next seven days.

EE Page Editor

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Let's recap what we learned from yesterday's Skyport Systems webinar.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question