Swift
asked on
Application risk assessment methodology
Hi
What's your favourite application risk assessment framework / methodology which takes care of following four points:
1. Risks on application's underlying assets ( servers, firewalls, other infrastructural elements)
2. Logical risks - previleges, role based access controls, SoD etc
3. Compliance - Licensing, CALs
4. Executive dashboard with graphical risk rating across the above 3 categories.
Pls advise!
What's your favourite application risk assessment framework / methodology which takes care of following four points:
1. Risks on application's underlying assets ( servers, firewalls, other infrastructural elements)
2. Logical risks - previleges, role based access controls, SoD etc
3. Compliance - Licensing, CALs
4. Executive dashboard with graphical risk rating across the above 3 categories.
Pls advise!
Microsoft had a security compliance manager and MSAT that looks at baseline checks and risk assessment aspect.
http://technet.microsoft.com/en-us/library/cc677002.aspx
http://www.microsoft.com/en-us/download/details.aspx?id=12273
Likewise Microsoft has the security lifecycle chain for secure code validation and assessment on code state. Check out the threat modelling tool and CAT.NET static code tool
http://www.microsoft.com/security/sdl/default.aspx
If you will to see it collectively, you would be looking at GRC (governance, risk and compliance) assessment. Rsa Archer is one candidate that match baseline from nist too. The key is the log from various log source and questionaire build in to help make a fruitful assessment.
The attack surface analyser and MBSA tool are another few that Microsoft provide as well.
http://www.microsoft.com/en-us/download/details.aspx?id=24487
http://technet.microsoft.com/en-us/library/cc677002.aspx
http://www.microsoft.com/en-us/download/details.aspx?id=12273
Likewise Microsoft has the security lifecycle chain for secure code validation and assessment on code state. Check out the threat modelling tool and CAT.NET static code tool
http://www.microsoft.com/security/sdl/default.aspx
If you will to see it collectively, you would be looking at GRC (governance, risk and compliance) assessment. Rsa Archer is one candidate that match baseline from nist too. The key is the log from various log source and questionaire build in to help make a fruitful assessment.
The attack surface analyser and MBSA tool are another few that Microsoft provide as well.
http://www.microsoft.com/en-us/download/details.aspx?id=24487
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks everyone.
Maybe I didn't communicate the needs properly. I see most of the answers are directing me towards tool that help reaching the final deliverable in various forms.
I am considering the framework of working with on four points I mentioned in my initial query so that I do not leave out any areas un-covered.
Has anyone previously had experience of using a structured methodology for such application risk assessment?
Maybe I didn't communicate the needs properly. I see most of the answers are directing me towards tool that help reaching the final deliverable in various forms.
I am considering the framework of working with on four points I mentioned in my initial query so that I do not leave out any areas un-covered.
Has anyone previously had experience of using a structured methodology for such application risk assessment?
1, is called environmental conditions. All sorts of insurance companies can insure them offering free advice on how to improve.
2. It is called misconfiguration (all the above posts deal with that)
3. Licencing business is to be settled with microsoft. With compliance it is usually understood complicance with law and industry standards, not commercial requirements.
4. There is no telling how environmental conditions may get you.
It may be +50C with thermal shutdown everywhere, or toilet leaking etc - how do you visualize it?No idea, you can describe that 1/10 of days conditioner is broke and 1/30 of days temperature outside us critical, so 1/300 is the chance of them meating and turning into business impact, this is not measurable up or down.
For misconfiguration (wild guess -admin makes mistake every 100 lines of typing) - double check by other person usually brings that to no mistakes...
Next - if you underasses some risk may not be covered enough, if you over-assess your company may pay too much to cover insignificant risk
2. It is called misconfiguration (all the above posts deal with that)
3. Licencing business is to be settled with microsoft. With compliance it is usually understood complicance with law and industry standards, not commercial requirements.
4. There is no telling how environmental conditions may get you.
It may be +50C with thermal shutdown everywhere, or toilet leaking etc - how do you visualize it?No idea, you can describe that 1/10 of days conditioner is broke and 1/30 of days temperature outside us critical, so 1/300 is the chance of them meating and turning into business impact, this is not measurable up or down.
For misconfiguration (wild guess -admin makes mistake every 100 lines of typing) - double check by other person usually brings that to no mistakes...
Next - if you underasses some risk may not be covered enough, if you over-assess your company may pay too much to cover insignificant risk
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For other parts you can identify improvements with price tag and loss multiplied by the chance of damage to happen... Easy, maybe no need to bugger the managers...