Your SlideShare is downloading. ×
0
Comparative of risk analysis methodologies
Comparative of risk analysis methodologies
Comparative of risk analysis methodologies
Comparative of risk analysis methodologies
Comparative of risk analysis methodologies
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Comparative of risk analysis methodologies

1,851

Published on

A Comparison done by me of 3 different risk analysis methodologies: CRAMM, NIST and Octave. …

A Comparison done by me of 3 different risk analysis methodologies: CRAMM, NIST and Octave.
Una comparativa desarrollada por mi de 3 metodologías diferentes de análisis de riesgo: CRAMM, NIST y Octave.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,851
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
55
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Highlights CRAMM NIST SP 800-30 Octave Methodology Manager Cramm belongs to Siemens National Institute of Standards and Technology (NIST) Software Engineering Institute (SEI) and Carnegie Mellon University (CMU) Country of origin UK United States United States WebSite http://www.cramm.com/ http://www.nist.gov/ http://www.cert.org/octave/ Versions Last version: CRAMM NATO V5.6 800-30 Rev.1 (2002) OCTAVESM Method Version 2.0 Tool to apply the methodology A large number of tools for analysis and management using this methodology (e.i. CRAMM Express) The standard does not specify a particular tool for analysis The standard does not specify a particular tool for analysis. The methodology says "Vulnerability Evaluation Tools". Main concepts Assets, threats, vulnerabilities, risks, safeguards (countermeasures) Threats, vulnerabilities, risks, controls Assets, threats, vulnerabilities, risks Main steps 1- Assets Identification and valuation (physical assets are identified, software, and data assets into information systems) 2- Threats and vulnerabilities measurement (determine the likelihood of these problems occur) 3- Selection and recommendation of countermeasures (CRAMM contains a library of more than 3,000 countermeasures organized in 70 groups) 1- Initiation (risk identification is used to support the development of system requirements) 2- Development or acquisition (The IT system is designed, expressed and proposed or constructed) 3- Implementation (assets system security are configured, enabled, tested and verified) 4- Operation and maintenance (maintenance activities for risk reduction are performed) 5- Arrangement (the risk management activities are carried out in the system components) 1 - Construction of vulnerabilities based on assets (organizational view) 2 - Identification of vulnerabilities of the infrastructure (technological vision) 3 - Development of security strategy and plans for mitigation of vulnerabilities (strategy and development plan) Main Features * > 400 types of assets * 38 types of threats * > 25 types of impacts * 7 risk measures * > 3500 controls * Attaches great importance to the controls * Speaking of key profiles within the organization regarding the responsibility of risk management * Has 'Self-Direction'. A small team of staff from the same organization is involved in the process of implementing the methodology (IT staff and other departments) * Creation of a small interdisciplinary team of information analysis * Based Approach workshop where people of different levels of the organization work to identify vulnerabilities Based on assets * Information Catalogs: Catalogs of practical, active profile, list of vulnerabilities * Talk about a balance between three aspects: Technology, Operational Risk and Safety Practices Scope where the methodology is used * Risk Analysis * Risk Management * Master Security Plan * Risk Analysis * Risk Management * Master Security Plan * Risk Analysis * Risk Management * Master Security Plan Who holds the methodology * Small interdisciplinary group of internal staff * Small interdisciplinary group of internal staff * Small interdisciplinary group of internal staff Keyfeatures
  • 2. Cost In 2001 version 4 costs: * For a commercial company: £ 2,800 + £ 850 per year/maintenance * For agencies and departments of the British state: £ 1,600 + £ 850 per year/maintenance * Costs associated with the benefit, giving a condition on the cost of a security master plan, provided that the cost is less than the cost of risk analyzed and solved, the cost will be low * Internal Use: Free * External use: You must purchase the license to SEI if you implement the methodology to a third party Highlights CRAMM NIST SP 800-30 Octave Test result (outputs) * Table of risk assessment on assets (scale of 1-10) * Recommended controls list * Documentation results Phase 1: Assets Critivos, critical requirements for critical assets, vulnerabilities of critical assets, list of current safety practices, list of current organizational vulnerabilities Phase 2: Key Components, current technological vulnerabilities Phase 3: Risk of critical assets, risk metrics, protection strategy, risk mitigation plans Scope International (CRAMM v.5.1 was used in 23 countries) International International Right of use n/a n/a * Internal use: limit Tool to apply the methodology A lot of tools implementing the methodology n/a n/a Certification Certification helps for BS 7799 and ISO/IEC 27001de BS 7799 Certification helps for ISO/IEC 27001 Certification helps for ISO/IEC 27001 Scope n/a n/a n/a Right of use * You have to pay the license fee (beyond the cost of implementation and maintenance analysis) * You have to pay the license fee (beyond the cost of implementation and maintenance analysis) * External use: Limited to license fee for use DisadvanAdvantages
  • 3. Asset Assessme nt Threa t Vulnerabil ity Probability Impact Risk CRAMM Asset X [1-5] Threa t Y Vulnerabili ty W Probability Z [1-5] [1-5] Scale [3 to 15] NIST SP 800-30 Asset X High- Medium- Low Threa t Y Vulnerabili ty W Probability Z (High- Medium- Low) High- Medium-Low High-Medium- Low Octave Asset X Find the highest risk is a decision tree Threa t Y Vulnerabili ty W Probability Z Find the highest risk in a decision tree The aim in the risk management is to reduce the probability and / or impact The threat can not be reduced, which is trying to eliminate this vulnerability so that the probability of occurrence of the threat but it is slow or that the impact in case of occurrence is less A good practice is used to implement the first large companies to filter NIST high risks,

×