March 11, 2007

What is Better? Process or Asset Risk Assessment

Posted in Risk Assessment, Security Governance, Security Program Development at 5:20 am by jtbevis

As many of you know this is one of the main projects in the ISM community and there are some different perspectives of the best method to perform and Risk Assessment.  I am really hoping to get some good feedback across industries on this question.

  

Where does the Risk Assessment methodology come from?

I know many asset risk assessments are based on the NIST and OCTAVE methods, which is usually the work I perform.  Many of the process based risk assessments I have seen are done by auditors (the Big 5 type companies).  When reviewing many of these I notice they all seem different, thus I’m not sure the method’s they follow (some use COBIT).  Most organizations I have consulted to use the Audit department to perform the process risk assessment while the asset risk assessment is usually done in a separate group or by information security. 

 

Asset Risk Assessment: Brief overview

The asset based risk assessment that I perform usually focuses on asset risk in terms of the people, processes, and technology.  With that said I do not map every process, like a process risk assessment.  The end result of the assessment is a list of asset groups (prioritized by severity), threats (assigned a value based on likelihood) mapped to each asset group, and vulnerabilities (ranked by impact and how easy it is to compromise) associated with each asset group.  All of these (assets, threats, vulnerabilities) have scores associated with them that when added up produce a risk score.  Then risk prioritized recommendations are created to remediate the vulnerabilities.

 

We need both!

Is the asset assessment better then a process assessment?  I don’t think so, but most organizations that I have consulted (on risk assessment) have problems with a process based risk assessment when it is done alone.  However, when combined together both methods usually cover most areas of risk.  Again, I don’t think either one is better than the other.  I believe we need a mechanism in place to assess both the asset and its associated processes.  

 

What is your view?

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.