Solved

application "risk categories"

Posted on 2011-03-02
3
1,133 Views
Last Modified: 2012-06-27
Sticking with the 4 main measurement factors of risk impact (confidentiality, integrity, availability, accountability) and the 4 main measurement factors of business impact (financial damage, reputational damage, non-compliance, privacy violation) etc. I have been asked to categorise top level risk groups (ideally about 3 or 4) for an application audit tender.

I don’t just want SECURITY. In my opinion risk extends above and beyond security, for example availability could be affected if backup OPERATIONS aren’t working. So I had come up with security and operations as groups where controls and processes must be in place to mitigate risk of CIA to a database driven application.

Can anyone help with top level categories to categorise risk areas above and beyond security and operations? I would rather your comments then endless links to documents that don’t really help. Licensing could perhaps be another risk as apps will have a os, db product in the supporting architecture etc?

Basically I want a tender doc to say, we want the auditors to look at a, b, c and d to identify any risks to the CIA of the application (and supporting infrastructure). And I want help with the a b c and d.
0
Comment
Question by:pma111
3 Comments
 
LVL 74

Expert Comment

by:Jeffrey Coachman
ID: 35032731
You may want to click the "Request Attention" button and ask that the SQL zone be added to this Question.

The Experts there have extensive experience with security
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 35034117
thought of leveraging the BSIMM domain but define it slightly differently as below - http://www.informit.com/articles/article.aspx?p=1271382

Governance - Establishing the risk assessment metric and the compliance (or standard) workflow (accountability)
Intelligence - Business requirement and Threat Modelling (completeness and contingency planning)
SDL Touchpoints - Architecture review (soundness verification & integrity validation)
Deployment - Configuration and Control mgmt (implementation access control & confidentiality)

For database application, CIAA should be considered under each domain and risk assessment can be derived.
Alternatively, just some thoughts, Microsoft use the threat model such as STRIDE and impact categories such as DREAD which can be useful
@ http://www.devx.com/security/Article/37502/1763/page/4


0
 
LVL 3

Author Comment

by:pma111
ID: 35034519
Thanks so much, will research much further your suggestions and links
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now