Solved

Application risk assessment methodology

Posted on 2013-12-07
6
498 Views
Last Modified: 2013-12-22
Hi

What's your favourite application risk assessment framework / methodology which takes care of following four points:

1. Risks on application's underlying assets ( servers, firewalls, other infrastructural elements)
2. Logical risks - previleges, role based access controls, SoD etc
3. Compliance - Licensing, CALs
4. Executive dashboard with graphical risk rating across the above 3 categories.

Pls advise!
0
Comment
Question by:fahim
6 Comments
 
LVL 61

Expert Comment

by:gheist
Comment Utility
You have to contact Microsoft regarding Licensing

For other parts you can identify improvements with price tag and loss multiplied by the chance of damage to happen... Easy, maybe no need to bugger the managers...
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Microsoft had a security compliance manager and MSAT that looks at baseline checks and risk assessment aspect.

http://technet.microsoft.com/en-us/library/cc677002.aspx

http://www.microsoft.com/en-us/download/details.aspx?id=12273

Likewise Microsoft has the security lifecycle chain for secure code validation and  assessment on code state. Check out the  threat modelling tool and CAT.NET static code tool

http://www.microsoft.com/security/sdl/default.aspx

If you will to see it collectively, you would be looking at GRC (governance,  risk and compliance) assessment. Rsa Archer is one candidate that match baseline from nist too. The key is the log  from various log source and questionaire build in to help make a fruitful assessment.

The attack surface analyser and MBSA tool are another few that Microsoft provide as well.

http://www.microsoft.com/en-us/download/details.aspx?id=24487
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 200 total points
Comment Utility
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:fahim
Comment Utility
Thanks everyone.

Maybe I didn't communicate the needs properly. I see most of the answers are directing me towards tool that help reaching the final deliverable in various forms.

I am considering the framework of working with on four points I mentioned in my initial query so that I do not leave out any areas un-covered.

Has anyone previously had experience of using a structured methodology for such application risk assessment?
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
1, is called environmental conditions. All sorts of insurance companies can insure them offering free advice on how to improve.
2. It is called misconfiguration (all the above posts deal with that)
3. Licencing business is to be settled with microsoft. With compliance it is usually understood complicance with law and industry standards, not commercial requirements.
4. There is no telling how environmental conditions may get you.
It may be +50C with thermal shutdown everywhere, or toilet leaking etc - how do you visualize it?No idea, you can describe that 1/10 of days conditioner is broke and 1/30 of days temperature outside us critical, so 1/300 is the chance of them meating and turning into business impact, this is not measurable up or down.
For misconfiguration (wild guess -admin makes mistake every 100 lines of typing) - double check by other person usually brings that to no mistakes...

Next - if you underasses some risk may not be covered enough, if you over-assess your company may pay too much to cover insignificant risk
0
 
LVL 61

Accepted Solution

by:
btan earned 300 total points
Comment Utility
1. Risks on application's underlying assets ( servers, firewalls, other infrastructural elements)
2. Logical risks - previleges, role based access controls, SoD etc

> This is the standard risk assessment approach e.g. risk = threat * vulnerability (qualitative) or risk = asset value * exposure rate (quantitative). ISACA Risk IT framework will be of interest.
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/The-Risk-IT-Framework.aspx

3. Compliance - Licensing, CALs

> This is part of GRC assessment, but focusing on compliance, the first thing to note is what is the baseline for the systems - simply what is needed and must have Vs what is provisioned and deployed as of current state. They should be the baseline requirement in your project req during the deisgn and user requirement survey. Licensing has variation such as volume (site based) or client based...but it is really hard to equate licensing to compliance as it is more of project or system requirement.

4. Executive dashboard with graphical risk rating across the above 3 categories.

> That is the GRC dashboard typically. GRC refers to “a capability to reliably achieve objectives (governance & performance) while addressing uncertainty (risk management) and acting with integrity (compliance)”.
I see ValIT framework augmenting and OCEG is a no-profit community taking GRC as primary focus hence they do have rich resource on it
http://www.isaca.org/Knowledge-Center/Val-IT-IT-Value-Delivery-/Pages/Val-IT1.aspx
http://www.oceg.org/resource-collections/
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now