Solved

application "risk categories"

Posted on 2011-03-02
3
1,190 Views
Last Modified: 2012-06-27
Sticking with the 4 main measurement factors of risk impact (confidentiality, integrity, availability, accountability) and the 4 main measurement factors of business impact (financial damage, reputational damage, non-compliance, privacy violation) etc. I have been asked to categorise top level risk groups (ideally about 3 or 4) for an application audit tender.

I don’t just want SECURITY. In my opinion risk extends above and beyond security, for example availability could be affected if backup OPERATIONS aren’t working. So I had come up with security and operations as groups where controls and processes must be in place to mitigate risk of CIA to a database driven application.

Can anyone help with top level categories to categorise risk areas above and beyond security and operations? I would rather your comments then endless links to documents that don’t really help. Licensing could perhaps be another risk as apps will have a os, db product in the supporting architecture etc?

Basically I want a tender doc to say, we want the auditors to look at a, b, c and d to identify any risks to the CIA of the application (and supporting infrastructure). And I want help with the a b c and d.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 74

Expert Comment

by:Jeffrey Coachman
ID: 35032731
You may want to click the "Request Attention" button and ask that the SQL zone be added to this Question.

The Experts there have extensive experience with security
0
 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 35034117
thought of leveraging the BSIMM domain but define it slightly differently as below - http://www.informit.com/articles/article.aspx?p=1271382

Governance - Establishing the risk assessment metric and the compliance (or standard) workflow (accountability)
Intelligence - Business requirement and Threat Modelling (completeness and contingency planning)
SDL Touchpoints - Architecture review (soundness verification & integrity validation)
Deployment - Configuration and Control mgmt (implementation access control & confidentiality)

For database application, CIAA should be considered under each domain and risk assessment can be derived.
Alternatively, just some thoughts, Microsoft use the threat model such as STRIDE and impact categories such as DREAD which can be useful
@ http://www.devx.com/security/Article/37502/1763/page/4


0
 
LVL 3

Author Comment

by:pma111
ID: 35034519
Thanks so much, will research much further your suggestions and links
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
This video teaches users how to migrate an existing Wordpress website to a new domain.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question