SlideShare uma empresa Scribd logo

Dit yvol4iss50

Rick Lemieux
Rick Lemieux
TecnologiaNegócios
1 de 4
Baixar para ler offline
10 Steps to Do It Yourself CRAMM Page 1 of 4 The workable, practical guide to Do IT Yourself Vol. 4.50 • December 17, 2008 10 Steps to Do It Yourself CRAMM By Hank Marquis Hank is EVP of Knowledge Management at Universal Solutions Group, and Founder and Director of NABSM.ORG. Contact Hank by email at hank.marquis@usgct.com. View Hank’s blog at www.hankmarquis.info. T he IT Infrastructure Library (ITIL®) promotes the CCTA Risk Analysis and Management Method (CRAMM) for risk assessment. Everyone agrees managing risk is critical, yet few actually use CRAMM or any other formal system! Part of the reason for this is that CRAMM is a sophisticated software tool that requires a trained practitioner to operate. However, if you examine CRAMM, you soon realize you can obtain many of the benefits without investing in consultants or expensive software solutions. CRAMM is simply a process template for analyzing risks (threats an asset faces due to vulnerabilities) and then managing those risks through countermeasures. While CRAMM software includes over 3,000 countermeasures in its database -- something you don’t get doing CRAMM yourself -- you can still achieve sound risk assessments. Following I will explain CRAMM goals, methods, techniques and applications; then I will show how to gain many CRAMM benefits in a matter of minutes -- for very low cost. CRAMM provides a framework to calculate risk from asset values and vulnerabilities, referred to as Risk Analysis. The framework also helps you avoid, reduce, or choose to accept these risks, referred to as Risk Management. The idea is that by analyzing assets one can realize the potential damage caused by a failure in Confidentiality (unauthorized disclosure), Integrity (unauthorized modification or misuse) or Availability (destruction or loss). CRAMM supposes that it is cost prohibitive to eliminate risk, but that you can cost effectively mitigate risk by structured analysis of assets. CRAMM follows a rigid format. CRAMM: Uses meetings, interviews, and questionnaires for data collection. Identifies and categorizes IT assets into one of three categories: 1) data, 2) application/software 3) physical assets (equipment, buildings, staff, etc.) Requires you to consider the Impact of the loss of Confidentiality, Integrity and Availability (CIA) of the asset. Expresses Vulnerability (the likelihood that a threat may occur) as: very high, high, medium, low or very low. Expresses Risk (the likelihood that a threat could exploit the Vulnerability) as: high, medium or low. CRAMM has three stages: 1. Asset identification and valuation. The goal here is to identify and value assets. 2. Threat and vulnerability assessment. The goal here is to assess the CIA risks to assets. 3. Countermeasure selection and recommendation. The goal here is to identify the changes required to manage the CIA risks identified. Risk Assessment comprises stage 1, and about half of stage 2; Risk Management the balance of stage 2 and stage 3. At each stage there is discussion and agreement with the appropriate level of management. This is where awareness builds in management of the issues. One of the most difficult aspects of risk management is justifying the costs involved, which may be very high. Traditional cost vs. benefit analysis does not work well for security, and CRAMM provides a clearer method for showing the potential cost to an organization. CRAMM also involves the entire organization (management, IT http://www.itsmsolutions.com/newsletters/DITYvol4iss50.htm 12/17/2008
10 Steps to Do It Yourself CRAMM Page 2 of 4 staff and Customers) in the process, creating buy-in and acceptance of the result of your assessment. The Manual CRAMM Without the CRAMM software, you can approximate a CRAMM session using some paper, pencils, office tools like spreadsheets and word processors, the knowledge of your staff, the security Incidents that have occurred, and of course, news about the latest hacker exploits. The following assessment process is based on CRAMM tenets, but does not provide the same level of detail, control, or options as the CRAMM software. On the other hand, you will not spend thousands of dollars and you will still find it capable and valuable! Figure 1 shows the results of a completed “Manual CRAMM” assessment. Asset Owner: A. Owner Asset: Credit Card Data CONFIDENTIALITY public (0), restricted (1-5), confidential (6-9), secure (10) INTEGRITY low (1-3), moderate (4-7), high (8-9, very high (10) AVAILABILITY low (1-3), moderate (4-6), high (7-8), very high (9), mandatory (10) 10 / secure 10 / very high 8 / high Impact Requirement (1-10) Threats list all that apply Disclosure Theft Loss Hacking Input Errors Drive Failure Power Failure Vulnerability (1-10) none (0), low (1-4), moderate (5-7), high (8-9), very high (10) 10 3 1 8 2 5 2 Threat (1 to 100) Impact X Vulnerability 100 30 10 80 20 40 16 Risk Level Low (1-33), Medium (34-67), High (68-100) High Low Low High Low Medium Low Countermeasures list all that apply Password Protection Data Input Forms Firewall Data validation Figure 1. Example Manual “CRAMM” Grid 10-Step Plan Following is a 10-step plan that involves IT staff and the Business, enhances the IT infrastructure (products) and organization (people, process) security, and provides sound financial justification to the business for the expenditures required. 1. Gain (or grant) authority for the security review to proceed. 2. Define the scope of the review (IT service, location, application, etc.,) assign a team, and identify sources of information. Draft, review, and agree a project control document. You are now ready to start collecting data! 3. Begin stage 1 -- identify assets within the scope of the review (data, application/software and physical assets.) A Configuration Management Database (CMDB) is valuable here, if you do not have a CMDB then ask around about important data, software or physical assets. You can leverage previous Business Impact Analysis (BIA) work that you have done here as well. [See ‘How to Win with BIA’ DITY Vol. 2 #2 for more on BIA] 4. Prepare a grid or table. A spreadsheet works well for this. (See figure 1.) For each asset, list the asset and the asset “owner” -- the owner is the person who knows best, the usage and value of this asset. This process also raises the level of acceptance of your review findings and proposals. 5. Interview the asset owner; have the asset owner value data and software assets by the impact/cost resulting from loss of Confidentiality, Integrity, or Availability; and physical assets by replacement cost. Have data owners consider http://www.itsmsolutions.com/newsletters/DITYvol4iss50.htm 12/17/2008
10 Steps to Do It Yourself CRAMM Page 3 of 4 the impact of the following attributes of their asset: a. Confidentiality -- impact of or sensitivity to disclosure of the asset to non-authorized parties, e.g., “employees,” “contractors,” etc. Use confidentiality requirement categories of public (0), restricted (1-5), confidential (6-9), and secure (10). b. Integrity -- impact of unknown or unauthorized modification e.g. “data input errors,” etc. Use integrity requirement categories of low (1-3), moderate (4-7), high (8-9), and very high (10). c. Availability -- impact of the asset being unavailable for various time frames, e.g., “less than 15 minutes”, “1 hour”, “1 day”, etc. Use availability requirement categories of low (1-3), moderate [OK to recover in days] (4-6), high [hours] (7-8), very high [minutes] (9), and mandatory [cannot be down] (10). For a, and c above, have the data owner first choose a category for each, then a value within the category. For example, for Integrity, have them choose first from low, moderate, high and very high. Then, if they chose moderate in this case, ask them to rank the impact on a scale of 4 to 7. If there are existing measures already in place to control risks identify them during this stage. Update the grid and move to stage 2. 6. Begin stage 2 -- review and agree deliverables from Stage 1. Determine how likely each risk in stage 1 is by asking questions of support personnel, experts and other personnel using prepared questionnaires to try and asses the likelihood that the identified risks could actually occur. Consider Hackers (inside and outside the company), Viruses, Failures (hardware and software), Disasters (terrorism and natural), and People, process or procedure errors. Create a column for each threat. Use a categories of none (0), low (1-4), moderate (5-7), high (8-9), and very high (10). Update the spreadsheet for each asset. 7. Calculate the Risk entry by multiplying the Impact by the Vulnerability. Based on the risk score (impact X vulnerability) assign a label of low (1-33), medium (34-67), or high (68-100). Update the spreadsheet for each asset. You now have an agreed list of the most vulnerable areas! Since this list is developed with and agreed by the Business, you also have a powerful ally for justifying the need to proceed. 8. Begin stage 3 -- review and agree deliverables from Stage 2. Begin to identify and select countermeasures for those assets with the highest risk level. CRAMM contains a very large countermeasure library consisting of over 3000 detailed countermeasures organized into over 70 logical groupings. Of course, without the CRAMM software, you do not have this, but you can still come up with many possible countermeasures through brainstorming and researching the risks identified. [See ‘Availability Management on a Budget’ DITY Vol. 1 #2 for more on using tools like CFIA, FTA, SOA and others to develop solutions.] 9. Consider countermeasures and ways to mitigate the threats. Focus on the higher-level threats first, but don't overlook quick, easy or cheap fixes to lower level threats. In Figure 1, notice that we also chose to implement some countermeasures for low level as well as high level threats. Give precedence to those countermeasures that: a. protect against several threats b. protect high risk assets c. apply where there are no countermeasures already in use d. are less expensive to implement e. are more effective at preventing or mitigating threats f. prevent threats rather than detecting or facilitating recovery g. can be implemented quickly, easily and inexpensively (even for low risk) 10. Raise an RFC for the highest-level threats; use your assessments as justification for the Change. Produce a schedule http://www.itsmsolutions.com/newsletters/DITYvol4iss50.htm 12/17/2008
10 Steps to Do It Yourself CRAMM Page 4 of 4 and plan for implementation of agreed countermeasure recommendations. Summary The concepts of CRAMM applied via formal methods like these ensure consistent identification of risks and countermeasures, and provides cost justification for the countermeasures proposed. Even without expensive CRAMM software, you can gain powerful benefits like driving Business/IT Alignment, bringing security risks to the forefront, and assisting in the cost justification of countermeasures. Entire Contents © 2008 itSM Solutions® LLC. All Rights Reserved. ITIL ® and IT Infrastructure Library ® are Registered Trade Marks of the Office of Government Commerce and is used here by itSM Solutions LLC under license from and with the permission of OGC (Trade Mark License No. 0002). http://www.itsmsolutions.com/newsletters/DITYvol4iss50.htm 12/17/2008

Recomendados

Microsoft Risk Management
Microsoft Risk ManagementMicrosoft Risk Management
Microsoft Risk ManagementUlukman Mamytov
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 
Risk analysis
Risk analysis Risk analysis
Risk analysis Samuel Gher
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsVidyalankar Institute of Technology
 
MISO L008 Disaster Recovery Plan
MISO L008 Disaster Recovery PlanMISO L008 Disaster Recovery Plan
MISO L008 Disaster Recovery PlanJan Wong
 
Dj24712716
Dj24712716Dj24712716
Dj24712716IJERA Editor
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 

Recomendados

Microsoft Risk Management
Microsoft Risk ManagementMicrosoft Risk Management
Microsoft Risk ManagementUlukman Mamytov
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 
Risk analysis
Risk analysis Risk analysis
Risk analysis Samuel Gher
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsVidyalankar Institute of Technology
 
MISO L008 Disaster Recovery Plan
MISO L008 Disaster Recovery PlanMISO L008 Disaster Recovery Plan
MISO L008 Disaster Recovery PlanJan Wong
 
Dj24712716
Dj24712716Dj24712716
Dj24712716IJERA Editor
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...wardell henley
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Managementjpubal
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 
CRISC Exam Questions
CRISC Exam QuestionsCRISC Exam Questions
CRISC Exam QuestionsCertifications
 
Know risk for mining industry 1
Know risk for mining industry 1Know risk for mining industry 1
Know risk for mining industry 1Ozdocs
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016EnterpriseGRC Solutions, Inc.
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Managementtschraider
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
DEVELOPING AN ICT RISK REGISTER
DEVELOPING AN ICT RISK REGISTERDEVELOPING AN ICT RISK REGISTER
DEVELOPING AN ICT RISK REGISTERChristopher Nanchengwa
 
L008 Disaster Recovery Plan (2016)
L008 Disaster Recovery Plan (2016)L008 Disaster Recovery Plan (2016)
L008 Disaster Recovery Plan (2016)Jan Wong
 
Outsourcing
OutsourcingOutsourcing
Outsourcingkarlhennessy
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Riskamiable_indian
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Bossrbrockway
 
Risk management in software engineering
Risk management in software engineeringRisk management in software engineering
Risk management in software engineeringdeep sharma
 
Risk Management In Software Product Development
Risk Management In Software Product DevelopmentRisk Management In Software Product Development
Risk Management In Software Product DevelopmentAmandeep Midha
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slidesSteve Arnold
 
Dit yvol3iss32
Dit yvol3iss32Dit yvol3iss32
Dit yvol3iss32Rick Lemieux
 
Dit yvol2iss34
Dit yvol2iss34Dit yvol2iss34
Dit yvol2iss34Rick Lemieux
 

Mais conteúdo relacionado

Mais procurados

Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...wardell henley
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Managementjpubal
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 
Know risk for mining industry 1
Know risk for mining industry 1Know risk for mining industry 1
Know risk for mining industry 1Ozdocs
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Managementtschraider
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
L008 Disaster Recovery Plan (2016)
L008 Disaster Recovery Plan (2016)L008 Disaster Recovery Plan (2016)
L008 Disaster Recovery Plan (2016)Jan Wong
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Riskamiable_indian
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Bossrbrockway
 
Risk management in software engineering
Risk management in software engineeringRisk management in software engineering
Risk management in software engineeringdeep sharma
 
Risk Management In Software Product Development
Risk Management In Software Product DevelopmentRisk Management In Software Product Development
Risk Management In Software Product DevelopmentAmandeep Midha
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slidesSteve Arnold
 

Mais procurados (20)

Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
Strategies improving-vulnerability-assessment-effectiveness-large-organizatio...
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Management
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
 
CRISC Exam Questions
CRISC Exam QuestionsCRISC Exam Questions
CRISC Exam Questions
 
Know risk for mining industry 1
Know risk for mining industry 1Know risk for mining industry 1
Know risk for mining industry 1
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
 
DEVELOPING AN ICT RISK REGISTER
DEVELOPING AN ICT RISK REGISTERDEVELOPING AN ICT RISK REGISTER
DEVELOPING AN ICT RISK REGISTER
 
L008 Disaster Recovery Plan (2016)
L008 Disaster Recovery Plan (2016)L008 Disaster Recovery Plan (2016)
L008 Disaster Recovery Plan (2016)
 
Outsourcing
OutsourcingOutsourcing
Outsourcing
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Boss
 
Risk management in software engineering
Risk management in software engineeringRisk management in software engineering
Risk management in software engineering
 
Risk Management In Software Product Development
Risk Management In Software Product DevelopmentRisk Management In Software Product Development
Risk Management In Software Product Development
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slides
 

Destaque

Destaque (17)

Dit yvol3iss32
Dit yvol3iss32Dit yvol3iss32
Dit yvol3iss32
 
Dit yvol2iss34
Dit yvol2iss34Dit yvol2iss34
Dit yvol2iss34
 
Dit yvol3iss26
Dit yvol3iss26Dit yvol3iss26
Dit yvol3iss26
 
Dit yvol3iss14
Dit yvol3iss14Dit yvol3iss14
Dit yvol3iss14
 
Dit yvol4iss06
Dit yvol4iss06Dit yvol4iss06
Dit yvol4iss06
 
Dit yvol3iss40
Dit yvol3iss40Dit yvol3iss40
Dit yvol3iss40
 
Dit yvol3iss2
Dit yvol3iss2Dit yvol3iss2
Dit yvol3iss2
 
Dit yvol4iss39
Dit yvol4iss39Dit yvol4iss39
Dit yvol4iss39
 
Dit yvol2iss45
Dit yvol2iss45Dit yvol2iss45
Dit yvol2iss45
 
Dit yvol2iss40
Dit yvol2iss40Dit yvol2iss40
Dit yvol2iss40
 
Dit yvol3iss49
Dit yvol3iss49Dit yvol3iss49
Dit yvol3iss49
 
Dit yvol3iss29
Dit yvol3iss29Dit yvol3iss29
Dit yvol3iss29
 
Dit yvol3iss46
Dit yvol3iss46Dit yvol3iss46
Dit yvol3iss46
 
Dit yvol2iss48
Dit yvol2iss48Dit yvol2iss48
Dit yvol2iss48
 
Dit yvol2iss27
Dit yvol2iss27Dit yvol2iss27
Dit yvol2iss27
 
Dit yvol3iss24
Dit yvol3iss24Dit yvol3iss24
Dit yvol3iss24
 
Dit yvol2iss8
Dit yvol2iss8Dit yvol2iss8
Dit yvol2iss8
 

Semelhante a Dit yvol4iss50

200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic SecurityChad Korosec
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
27 Introduction Risk management begins with first .docx
27 Introduction Risk management begins with first .docx27 Introduction Risk management begins with first .docx
27 Introduction Risk management begins with first .docxlorainedeserre
 
27 Introduction Risk management begins with first .docx
27 Introduction Risk management begins with first .docx27 Introduction Risk management begins with first .docx
27 Introduction Risk management begins with first .docxvickeryr87
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company Abdulrahman Alamri
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSathishKumar960827
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSecurestorm
 
College of Administrative and Financial SciencesAssignment 1.docx
College of Administrative and Financial SciencesAssignment 1.docxCollege of Administrative and Financial SciencesAssignment 1.docx
College of Administrative and Financial SciencesAssignment 1.docxmccormicknadine86
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)April Mardock CISSP
 
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxCompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxInfosectrain3
 
future internetArticleERMOCTAVE A Risk Management Fra.docx
future internetArticleERMOCTAVE A Risk Management Fra.docxfuture internetArticleERMOCTAVE A Risk Management Fra.docx
future internetArticleERMOCTAVE A Risk Management Fra.docxgilbertkpeters11344
 
aMs Southeast Asia 2021 : Insider risk protection and containment in microsof...
aMs Southeast Asia 2021 : Insider risk protection and containment in microsof...aMs Southeast Asia 2021 : Insider risk protection and containment in microsof...
aMs Southeast Asia 2021 : Insider risk protection and containment in microsof...Mitul Rana
 
Case Project 1-1 Defining and Designing a NetworkThe overview.docx
Case Project 1-1 Defining and Designing a NetworkThe overview.docxCase Project 1-1 Defining and Designing a NetworkThe overview.docx
Case Project 1-1 Defining and Designing a NetworkThe overview.docxtidwellveronique
 
Cmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEWCmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEWshyamuop
 
CMGT 400 Entire Course NEW
CMGT 400 Entire Course NEWCMGT 400 Entire Course NEW
CMGT 400 Entire Course NEWshyamuopfive
 
future internetArticleERMOCTAVE A Risk Management Fra
future internetArticleERMOCTAVE A Risk Management Frafuture internetArticleERMOCTAVE A Risk Management Fra
future internetArticleERMOCTAVE A Risk Management FraDustiBuckner14
 
Future internet articleermoctave a risk management fra
Future internet articleermoctave a risk management fraFuture internet articleermoctave a risk management fra
Future internet articleermoctave a risk management fraarnit1
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 

Semelhante a Dit yvol4iss50 (20)

200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic Security
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
27 Introduction Risk management begins with first .docx
27 Introduction Risk management begins with first .docx27 Introduction Risk management begins with first .docx
27 Introduction Risk management begins with first .docx
 
27 Introduction Risk management begins with first .docx
27 Introduction Risk management begins with first .docx27 Introduction Risk management begins with first .docx
27 Introduction Risk management begins with first .docx
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company
 
Sample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdfSample Risk Assessment Report- QuantumBanking.pdf
Sample Risk Assessment Report- QuantumBanking.pdf
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game plan
 
College of Administrative and Financial SciencesAssignment 1.docx
College of Administrative and Financial SciencesAssignment 1.docxCollege of Administrative and Financial SciencesAssignment 1.docx
College of Administrative and Financial SciencesAssignment 1.docx
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
 
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptxCompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
CompTIA CySA Domain 1 Threat and Vulnerability Management.pptx
 
CLOUD COMPUTING.pptx
CLOUD COMPUTING.pptxCLOUD COMPUTING.pptx
CLOUD COMPUTING.pptx
 
future internetArticleERMOCTAVE A Risk Management Fra.docx
future internetArticleERMOCTAVE A Risk Management Fra.docxfuture internetArticleERMOCTAVE A Risk Management Fra.docx
future internetArticleERMOCTAVE A Risk Management Fra.docx
 
aMs Southeast Asia 2021 : Insider risk protection and containment in microsof...
aMs Southeast Asia 2021 : Insider risk protection and containment in microsof...aMs Southeast Asia 2021 : Insider risk protection and containment in microsof...
aMs Southeast Asia 2021 : Insider risk protection and containment in microsof...
 
Case Project 1-1 Defining and Designing a NetworkThe overview.docx
Case Project 1-1 Defining and Designing a NetworkThe overview.docxCase Project 1-1 Defining and Designing a NetworkThe overview.docx
Case Project 1-1 Defining and Designing a NetworkThe overview.docx
 
Cmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEWCmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEW
 
CMGT 400 Entire Course NEW
CMGT 400 Entire Course NEWCMGT 400 Entire Course NEW
CMGT 400 Entire Course NEW
 
future internetArticleERMOCTAVE A Risk Management Fra
future internetArticleERMOCTAVE A Risk Management Frafuture internetArticleERMOCTAVE A Risk Management Fra
future internetArticleERMOCTAVE A Risk Management Fra
 
Future internet articleermoctave a risk management fra
Future internet articleermoctave a risk management fraFuture internet articleermoctave a risk management fra
Future internet articleermoctave a risk management fra
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
PACE-IT, Security+ 2.1: Risk Related Concepts (part 2)
 

Mais de Rick Lemieux

IT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT AlignementIT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT AlignementRick Lemieux
 

Mais de Rick Lemieux (20)

IT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT AlignementIT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT Alignement
 
Dit yvol5iss41
Dit yvol5iss41Dit yvol5iss41
Dit yvol5iss41
 
Dit yvol5iss40
Dit yvol5iss40Dit yvol5iss40
Dit yvol5iss40
 
Dit yvol5iss38
Dit yvol5iss38Dit yvol5iss38
Dit yvol5iss38
 
Dit yvol5iss37
Dit yvol5iss37Dit yvol5iss37
Dit yvol5iss37
 
Dit yvol5iss36
Dit yvol5iss36Dit yvol5iss36
Dit yvol5iss36
 
Dit yvol5iss35
Dit yvol5iss35Dit yvol5iss35
Dit yvol5iss35
 
Dit yvol5iss34
Dit yvol5iss34Dit yvol5iss34
Dit yvol5iss34
 
Dit yvol5iss31
Dit yvol5iss31Dit yvol5iss31
Dit yvol5iss31
 
Dit yvol5iss33
Dit yvol5iss33Dit yvol5iss33
Dit yvol5iss33
 
Dit yvol5iss32
Dit yvol5iss32Dit yvol5iss32
Dit yvol5iss32
 
Dit yvol5iss30
Dit yvol5iss30Dit yvol5iss30
Dit yvol5iss30
 
Dit yvol5iss29
Dit yvol5iss29Dit yvol5iss29
Dit yvol5iss29
 
Dit yvol5iss28
Dit yvol5iss28Dit yvol5iss28
Dit yvol5iss28
 
Dit yvol5iss26
Dit yvol5iss26Dit yvol5iss26
Dit yvol5iss26
 
Dit yvol5iss25
Dit yvol5iss25Dit yvol5iss25
Dit yvol5iss25
 
Dit yvol5iss24
Dit yvol5iss24Dit yvol5iss24
Dit yvol5iss24
 
Dit yvol5iss23
Dit yvol5iss23Dit yvol5iss23
Dit yvol5iss23
 
Dit yvol5iss22
Dit yvol5iss22Dit yvol5iss22
Dit yvol5iss22
 
Dit yvol5iss21
Dit yvol5iss21Dit yvol5iss21
Dit yvol5iss21
 

Último

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Último (20)

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

Dit yvol4iss50

  • 1. 10 Steps to Do It Yourself CRAMM Page 1 of 4 The workable, practical guide to Do IT Yourself Vol. 4.50 • December 17, 2008 10 Steps to Do It Yourself CRAMM By Hank Marquis Hank is EVP of Knowledge Management at Universal Solutions Group, and Founder and Director of NABSM.ORG. Contact Hank by email at hank.marquis@usgct.com. View Hank’s blog at www.hankmarquis.info. T he IT Infrastructure Library (ITIL®) promotes the CCTA Risk Analysis and Management Method (CRAMM) for risk assessment. Everyone agrees managing risk is critical, yet few actually use CRAMM or any other formal system! Part of the reason for this is that CRAMM is a sophisticated software tool that requires a trained practitioner to operate. However, if you examine CRAMM, you soon realize you can obtain many of the benefits without investing in consultants or expensive software solutions. CRAMM is simply a process template for analyzing risks (threats an asset faces due to vulnerabilities) and then managing those risks through countermeasures. While CRAMM software includes over 3,000 countermeasures in its database -- something you don’t get doing CRAMM yourself -- you can still achieve sound risk assessments. Following I will explain CRAMM goals, methods, techniques and applications; then I will show how to gain many CRAMM benefits in a matter of minutes -- for very low cost. CRAMM provides a framework to calculate risk from asset values and vulnerabilities, referred to as Risk Analysis. The framework also helps you avoid, reduce, or choose to accept these risks, referred to as Risk Management. The idea is that by analyzing assets one can realize the potential damage caused by a failure in Confidentiality (unauthorized disclosure), Integrity (unauthorized modification or misuse) or Availability (destruction or loss). CRAMM supposes that it is cost prohibitive to eliminate risk, but that you can cost effectively mitigate risk by structured analysis of assets. CRAMM follows a rigid format. CRAMM: Uses meetings, interviews, and questionnaires for data collection. Identifies and categorizes IT assets into one of three categories: 1) data, 2) application/software 3) physical assets (equipment, buildings, staff, etc.) Requires you to consider the Impact of the loss of Confidentiality, Integrity and Availability (CIA) of the asset. Expresses Vulnerability (the likelihood that a threat may occur) as: very high, high, medium, low or very low. Expresses Risk (the likelihood that a threat could exploit the Vulnerability) as: high, medium or low. CRAMM has three stages: 1. Asset identification and valuation. The goal here is to identify and value assets. 2. Threat and vulnerability assessment. The goal here is to assess the CIA risks to assets. 3. Countermeasure selection and recommendation. The goal here is to identify the changes required to manage the CIA risks identified. Risk Assessment comprises stage 1, and about half of stage 2; Risk Management the balance of stage 2 and stage 3. At each stage there is discussion and agreement with the appropriate level of management. This is where awareness builds in management of the issues. One of the most difficult aspects of risk management is justifying the costs involved, which may be very high. Traditional cost vs. benefit analysis does not work well for security, and CRAMM provides a clearer method for showing the potential cost to an organization. CRAMM also involves the entire organization (management, IT http://www.itsmsolutions.com/newsletters/DITYvol4iss50.htm 12/17/2008
  • 2. 10 Steps to Do It Yourself CRAMM Page 2 of 4 staff and Customers) in the process, creating buy-in and acceptance of the result of your assessment. The Manual CRAMM Without the CRAMM software, you can approximate a CRAMM session using some paper, pencils, office tools like spreadsheets and word processors, the knowledge of your staff, the security Incidents that have occurred, and of course, news about the latest hacker exploits. The following assessment process is based on CRAMM tenets, but does not provide the same level of detail, control, or options as the CRAMM software. On the other hand, you will not spend thousands of dollars and you will still find it capable and valuable! Figure 1 shows the results of a completed “Manual CRAMM” assessment. Asset Owner: A. Owner Asset: Credit Card Data CONFIDENTIALITY public (0), restricted (1-5), confidential (6-9), secure (10) INTEGRITY low (1-3), moderate (4-7), high (8-9, very high (10) AVAILABILITY low (1-3), moderate (4-6), high (7-8), very high (9), mandatory (10) 10 / secure 10 / very high 8 / high Impact Requirement (1-10) Threats list all that apply Disclosure Theft Loss Hacking Input Errors Drive Failure Power Failure Vulnerability (1-10) none (0), low (1-4), moderate (5-7), high (8-9), very high (10) 10 3 1 8 2 5 2 Threat (1 to 100) Impact X Vulnerability 100 30 10 80 20 40 16 Risk Level Low (1-33), Medium (34-67), High (68-100) High Low Low High Low Medium Low Countermeasures list all that apply Password Protection Data Input Forms Firewall Data validation Figure 1. Example Manual “CRAMM” Grid 10-Step Plan Following is a 10-step plan that involves IT staff and the Business, enhances the IT infrastructure (products) and organization (people, process) security, and provides sound financial justification to the business for the expenditures required. 1. Gain (or grant) authority for the security review to proceed. 2. Define the scope of the review (IT service, location, application, etc.,) assign a team, and identify sources of information. Draft, review, and agree a project control document. You are now ready to start collecting data! 3. Begin stage 1 -- identify assets within the scope of the review (data, application/software and physical assets.) A Configuration Management Database (CMDB) is valuable here, if you do not have a CMDB then ask around about important data, software or physical assets. You can leverage previous Business Impact Analysis (BIA) work that you have done here as well. [See ‘How to Win with BIA’ DITY Vol. 2 #2 for more on BIA] 4. Prepare a grid or table. A spreadsheet works well for this. (See figure 1.) For each asset, list the asset and the asset “owner” -- the owner is the person who knows best, the usage and value of this asset. This process also raises the level of acceptance of your review findings and proposals. 5. Interview the asset owner; have the asset owner value data and software assets by the impact/cost resulting from loss of Confidentiality, Integrity, or Availability; and physical assets by replacement cost. Have data owners consider http://www.itsmsolutions.com/newsletters/DITYvol4iss50.htm 12/17/2008
  • 3. 10 Steps to Do It Yourself CRAMM Page 3 of 4 the impact of the following attributes of their asset: a. Confidentiality -- impact of or sensitivity to disclosure of the asset to non-authorized parties, e.g., “employees,” “contractors,” etc. Use confidentiality requirement categories of public (0), restricted (1-5), confidential (6-9), and secure (10). b. Integrity -- impact of unknown or unauthorized modification e.g. “data input errors,” etc. Use integrity requirement categories of low (1-3), moderate (4-7), high (8-9), and very high (10). c. Availability -- impact of the asset being unavailable for various time frames, e.g., “less than 15 minutes”, “1 hour”, “1 day”, etc. Use availability requirement categories of low (1-3), moderate [OK to recover in days] (4-6), high [hours] (7-8), very high [minutes] (9), and mandatory [cannot be down] (10). For a, and c above, have the data owner first choose a category for each, then a value within the category. For example, for Integrity, have them choose first from low, moderate, high and very high. Then, if they chose moderate in this case, ask them to rank the impact on a scale of 4 to 7. If there are existing measures already in place to control risks identify them during this stage. Update the grid and move to stage 2. 6. Begin stage 2 -- review and agree deliverables from Stage 1. Determine how likely each risk in stage 1 is by asking questions of support personnel, experts and other personnel using prepared questionnaires to try and asses the likelihood that the identified risks could actually occur. Consider Hackers (inside and outside the company), Viruses, Failures (hardware and software), Disasters (terrorism and natural), and People, process or procedure errors. Create a column for each threat. Use a categories of none (0), low (1-4), moderate (5-7), high (8-9), and very high (10). Update the spreadsheet for each asset. 7. Calculate the Risk entry by multiplying the Impact by the Vulnerability. Based on the risk score (impact X vulnerability) assign a label of low (1-33), medium (34-67), or high (68-100). Update the spreadsheet for each asset. You now have an agreed list of the most vulnerable areas! Since this list is developed with and agreed by the Business, you also have a powerful ally for justifying the need to proceed. 8. Begin stage 3 -- review and agree deliverables from Stage 2. Begin to identify and select countermeasures for those assets with the highest risk level. CRAMM contains a very large countermeasure library consisting of over 3000 detailed countermeasures organized into over 70 logical groupings. Of course, without the CRAMM software, you do not have this, but you can still come up with many possible countermeasures through brainstorming and researching the risks identified. [See ‘Availability Management on a Budget’ DITY Vol. 1 #2 for more on using tools like CFIA, FTA, SOA and others to develop solutions.] 9. Consider countermeasures and ways to mitigate the threats. Focus on the higher-level threats first, but don't overlook quick, easy or cheap fixes to lower level threats. In Figure 1, notice that we also chose to implement some countermeasures for low level as well as high level threats. Give precedence to those countermeasures that: a. protect against several threats b. protect high risk assets c. apply where there are no countermeasures already in use d. are less expensive to implement e. are more effective at preventing or mitigating threats f. prevent threats rather than detecting or facilitating recovery g. can be implemented quickly, easily and inexpensively (even for low risk) 10. Raise an RFC for the highest-level threats; use your assessments as justification for the Change. Produce a schedule http://www.itsmsolutions.com/newsletters/DITYvol4iss50.htm 12/17/2008
  • 4. 10 Steps to Do It Yourself CRAMM Page 4 of 4 and plan for implementation of agreed countermeasure recommendations. Summary The concepts of CRAMM applied via formal methods like these ensure consistent identification of risks and countermeasures, and provides cost justification for the countermeasures proposed. Even without expensive CRAMM software, you can gain powerful benefits like driving Business/IT Alignment, bringing security risks to the forefront, and assisting in the cost justification of countermeasures. Entire Contents © 2008 itSM Solutions® LLC. All Rights Reserved. ITIL ® and IT Infrastructure Library ® are Registered Trade Marks of the Office of Government Commerce and is used here by itSM Solutions LLC under license from and with the permission of OGC (Trade Mark License No. 0002). http://www.itsmsolutions.com/newsletters/DITYvol4iss50.htm 12/17/2008