?
Solved

application "risk categories"

Posted on 2011-03-02
3
Medium Priority
?
1,211 Views
Last Modified: 2012-06-27
Sticking with the 4 main measurement factors of risk impact (confidentiality, integrity, availability, accountability) and the 4 main measurement factors of business impact (financial damage, reputational damage, non-compliance, privacy violation) etc. I have been asked to categorise top level risk groups (ideally about 3 or 4) for an application audit tender.

I don’t just want SECURITY. In my opinion risk extends above and beyond security, for example availability could be affected if backup OPERATIONS aren’t working. So I had come up with security and operations as groups where controls and processes must be in place to mitigate risk of CIA to a database driven application.

Can anyone help with top level categories to categorise risk areas above and beyond security and operations? I would rather your comments then endless links to documents that don’t really help. Licensing could perhaps be another risk as apps will have a os, db product in the supporting architecture etc?

Basically I want a tender doc to say, we want the auditors to look at a, b, c and d to identify any risks to the CIA of the application (and supporting infrastructure). And I want help with the a b c and d.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 74

Expert Comment

by:Jeffrey Coachman
ID: 35032731
You may want to click the "Request Attention" button and ask that the SQL zone be added to this Question.

The Experts there have extensive experience with security
0
 
LVL 64

Accepted Solution

by:
btan earned 1000 total points
ID: 35034117
thought of leveraging the BSIMM domain but define it slightly differently as below - http://www.informit.com/articles/article.aspx?p=1271382

Governance - Establishing the risk assessment metric and the compliance (or standard) workflow (accountability)
Intelligence - Business requirement and Threat Modelling (completeness and contingency planning)
SDL Touchpoints - Architecture review (soundness verification & integrity validation)
Deployment - Configuration and Control mgmt (implementation access control & confidentiality)

For database application, CIAA should be considered under each domain and risk assessment can be derived.
Alternatively, just some thoughts, Microsoft use the threat model such as STRIDE and impact categories such as DREAD which can be useful
@ http://www.devx.com/security/Article/37502/1763/page/4


0
 
LVL 3

Author Comment

by:pma111
ID: 35034519
Thanks so much, will research much further your suggestions and links
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
Any person in technology especially those working for big companies should at least know about the basics of web accessibility. Believe it or not there are even laws in place that require businesses to provide such means for the disabled and aging p…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question