Solved

application "risk categories"

Posted on 2011-03-02
3
1,177 Views
Last Modified: 2012-06-27
Sticking with the 4 main measurement factors of risk impact (confidentiality, integrity, availability, accountability) and the 4 main measurement factors of business impact (financial damage, reputational damage, non-compliance, privacy violation) etc. I have been asked to categorise top level risk groups (ideally about 3 or 4) for an application audit tender.

I don’t just want SECURITY. In my opinion risk extends above and beyond security, for example availability could be affected if backup OPERATIONS aren’t working. So I had come up with security and operations as groups where controls and processes must be in place to mitigate risk of CIA to a database driven application.

Can anyone help with top level categories to categorise risk areas above and beyond security and operations? I would rather your comments then endless links to documents that don’t really help. Licensing could perhaps be another risk as apps will have a os, db product in the supporting architecture etc?

Basically I want a tender doc to say, we want the auditors to look at a, b, c and d to identify any risks to the CIA of the application (and supporting infrastructure). And I want help with the a b c and d.
0
Comment
Question by:pma111
3 Comments
 
LVL 74

Expert Comment

by:Jeffrey Coachman
ID: 35032731
You may want to click the "Request Attention" button and ask that the SQL zone be added to this Question.

The Experts there have extensive experience with security
0
 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 35034117
thought of leveraging the BSIMM domain but define it slightly differently as below - http://www.informit.com/articles/article.aspx?p=1271382

Governance - Establishing the risk assessment metric and the compliance (or standard) workflow (accountability)
Intelligence - Business requirement and Threat Modelling (completeness and contingency planning)
SDL Touchpoints - Architecture review (soundness verification & integrity validation)
Deployment - Configuration and Control mgmt (implementation access control & confidentiality)

For database application, CIAA should be considered under each domain and risk assessment can be derived.
Alternatively, just some thoughts, Microsoft use the threat model such as STRIDE and impact categories such as DREAD which can be useful
@ http://www.devx.com/security/Article/37502/1763/page/4


0
 
LVL 3

Author Comment

by:pma111
ID: 35034519
Thanks so much, will research much further your suggestions and links
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question