What is Better? Process or Asset Risk Assessment

Posted: March 11, 2007 in Risk Assessment, Security Governance, Security Program Development
Tags:

As many of you know this is one of the main projects in the ISM community and there are some different perspectives of the best method to perform and Risk Assessment.  I am really hoping to get some good feedback across industries on this question.

   

Where does the Risk Assessment methodology come from?

I know many asset risk assessments are based on the NIST and OCTAVE methods, which is usually the work I perform.  Many of the process based risk assessments I have seen are done by auditors (the Big 5 type companies).  When reviewing many of these I notice they all seem different, thus I’m not sure the method’s they follow (some use COBIT).  Most organizations I have consulted to use the Audit department to perform the process risk assessment while the asset risk assessment is usually done in a separate group or by information security. 

 

Asset Risk Assessment: Brief overview

The asset based risk assessment that I perform usually focuses on asset risk in terms of the people, processes, and technology.  With that said I do not map every process, like a process risk assessment.  The end result of the assessment is a list of asset groups (prioritized by severity), threats (assigned a value based on likelihood) mapped to each asset group, and vulnerabilities (ranked by impact and how easy it is to compromise) associated with each asset group.  All of these (assets, threats, vulnerabilities) have scores associated with them that when added up produce a risk score.  Then risk prioritized recommendations are created to remediate the vulnerabilities.

 

We need both!

Is the asset assessment better than a process assessment?  I don’t think so, but most organizations that I have consulted (on risk assessment) have problems with a process based risk assessment when it is done alone.  However, when combined together both methods usually cover most areas of risk.  Again, I don’t think either one is better than the other.  I believe we need a mechanism in place to assess both the asset and its associated processes.  

 

What is your view?

Advertisements
Comments
  1. Mustafa says:

    Dear,

    This is a very interesting topic and I thank you for discussing it. If you’ve process based assessments, it would be great if you can share some samples. I’m also wondering why process based assessment will not be enough? Is it because you usually find assets that you cannot map to certain assets? Although this must be challenged as an asset that is not supporting any business process, should not be there in the first place. I hope we can discuss this more.

    Thank you

  2. Mustafa says:

    Sorry, I meant assets you cannot map to a business process, on the fourth line of my previous comment

  3. Its like you read my mind! You seem to know so much about this, like you
    wrote the book in it or something. I think that you could do with a few pics to drive the message home a little bit, but other than that, this is wonderful blog.
    An excellent read. I will certainly be back.

  4. Thanks designed for sharing such a good idea,
    article is fastidious, thats why i have read it fully

  5. Heya i’m for the primary time here. I came across this board and I in finding It truly helpful & it helped me out a lot. I’m
    hoping to offer something again and aid others like you helped me.

  6. hey there and thank you for your info – I’ve certainly picked up anything new from right here. I did however expertise some technical issues using this website, since I experienced to reload the website a lot of times previous to I could get it to load correctly. I had been wondering if your hosting is OK? Not that I am complaining, but slow loading instances times will sometimes affect your placement in google and can damage your high-quality score if ads and marketing with Adwords. Anyway I am adding this RSS to my email and could look out for a lot more of your respective fascinating content. Make sure you update this again very soon.

  7. Article writing is also a excitement, if you be familiar with after that you can
    write if not it is complicated to write.

  8. roof leaks says:

    That is really attention-grabbing, You’re an excessively skilled blogger. I have joined your feed and look forward to in quest of extra of your excellent post. Also, I’ve shared your website in my social networks

  9. Buy Visitors says:

    What’s up colleagues, pleasant post and fastidious arguments commented here, I am really enjoying by these.

  10. Abdul Rub says:

    Understanding the business, identifying the critical business processes and later mapping these processes with the critical assets. I guess thats the funda.

  11. Forest says:

    Webmasters and marketers might have worked hard to bring their website to the world, but most found out that theirs
    has not been really successful with little visibility in the wider
    market and are getting frustrated that all the work could be wasted.
    In the package you will also find comments by niche, tutorials, tools, proxy sources and future discounts on our products.
    While other posting Software may offer pinging your links
    in hopes that they get crawled and indexed by the Search Engine, GSA
    Search Engine Ranking software provide full option for integrating with the
    most popular link indexing platforms like GSA Indexer, Lindexed, Linklicious, &
    backlinksindexer.

  12. With havin so much written content do you ever run into
    any poblems of plagorism or copyrigt violation?
    My blog hass a lot of completely unique content I’ve either written
    myself or outsourced but it looks like a lot of it is popping iit up all over the internet without
    my agreement. Do you know any solutions to help reduce content from being stolen?
    I’d certainly appreciate it.

  13. Wow that was odd. I just wrote an extremely long comment but after I clicked submit
    my comment didn’t appear. Grrrr… well I’m not writing all that
    over again. Anyway, just wanted to say superb blog!

  14. Heya i’m for the first time here. I found this board and I find It truly useful & it helped me out a lot.

    I hope to give something back and aid others like you aided me.

  15. Tiina says:

    I think the admin off this web site is truly working
    hard in support of his web site, as here every data
    is quality based data.

  16. Marisa says:

    Helpful information. Lucky me I found your site by chance, and I am shocked why this accident didn’t took place
    earlier! I bookmarked it.

  17. roofers says:

    Everything is very open with a clear clarification of thhe
    challenges. It was efinitely informative. Yoour site is very useful.

    Thank you for sharing!

  18. Greetings! Very helpful advice withiin this article!
    It’s the little changes that wioll make the mostt important
    changes. Many thanks for sharing! the best place to bbuy instagram
    followers

  19. Cause I’ve written and I’ve written and I’ve written but I don’t have a direction right now.

    Colossal Legends doesn’t need a returning tale,
    recognize it fairly definitely. They try not to combat one after one and there is no standby beast once
    the types in struggle were killed.

  20. I simply couldn’t depart your web site before suggesting that I really enjoyed the usual information an individual supply in your visitors?
    Is going to be back ceaselessly to check out new posts

  21. I’m impressed, I have to admit. Seldom do I come across a blog that’s both equally
    educative and engaging, and let me tell you, you have
    hit the nail on the head. The problem is something not enough folks are speaking intelligently about.
    Now i’m very happy that I stumbled across this in my search for something relating to this.

  22. Marvelous, what a weblog it is! This webpage gives helpful facts to us, keep
    it up.

  23. I really like reading through an article that will make men and women think.
    Also, thank you for permitting me to comment!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s