Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

application "risk categories"

Posted on 2011-03-02
3
Medium Priority
?
1,223 Views
Last Modified: 2012-06-27
Sticking with the 4 main measurement factors of risk impact (confidentiality, integrity, availability, accountability) and the 4 main measurement factors of business impact (financial damage, reputational damage, non-compliance, privacy violation) etc. I have been asked to categorise top level risk groups (ideally about 3 or 4) for an application audit tender.

I don’t just want SECURITY. In my opinion risk extends above and beyond security, for example availability could be affected if backup OPERATIONS aren’t working. So I had come up with security and operations as groups where controls and processes must be in place to mitigate risk of CIA to a database driven application.

Can anyone help with top level categories to categorise risk areas above and beyond security and operations? I would rather your comments then endless links to documents that don’t really help. Licensing could perhaps be another risk as apps will have a os, db product in the supporting architecture etc?

Basically I want a tender doc to say, we want the auditors to look at a, b, c and d to identify any risks to the CIA of the application (and supporting infrastructure). And I want help with the a b c and d.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 74

Expert Comment

by:Jeffrey Coachman
ID: 35032731
You may want to click the "Request Attention" button and ask that the SQL zone be added to this Question.

The Experts there have extensive experience with security
0
 
LVL 65

Accepted Solution

by:
btan earned 1000 total points
ID: 35034117
thought of leveraging the BSIMM domain but define it slightly differently as below - http://www.informit.com/articles/article.aspx?p=1271382

Governance - Establishing the risk assessment metric and the compliance (or standard) workflow (accountability)
Intelligence - Business requirement and Threat Modelling (completeness and contingency planning)
SDL Touchpoints - Architecture review (soundness verification & integrity validation)
Deployment - Configuration and Control mgmt (implementation access control & confidentiality)

For database application, CIAA should be considered under each domain and risk assessment can be derived.
Alternatively, just some thoughts, Microsoft use the threat model such as STRIDE and impact categories such as DREAD which can be useful
@ http://www.devx.com/security/Article/37502/1763/page/4


0
 
LVL 3

Author Comment

by:pma111
ID: 35034519
Thanks so much, will research much further your suggestions and links
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question