Intranet Journal
The online resource for intranet professionals
How much should this company spend, and what should they spend it on to secure this database? That is the magic question that the CIO will be called upon to answer. The issue becomes more complex when SLEs for numerous assets and technologies are calculated and added up into a bigger ALE. When trying to figure out how much to spend on safeguards to mitigate the threat, you need to take into consideration the entire organization since it is possible that one firewall, or one intrusion prevention system might mitigate multiple threats and protect multiple assets.
The good news is that there some excellent tools to assist risk analysis experts and CIOs in determining the answers to these financial questions. These tools are not well known, but offer very advanced capabilities in guiding you through the risk analysis process. Unfortunately, they are not as simple to use as system and network security scanners. A comprehensive risk analysis process is time-consuming, and requires detailed financial analysis of an entire business. But if you want to know the answers to how much to spend on safeguards, which safeguards to implement, there is no better process.
The Right Tools for the Job
The three leading tools in the risk analysis market segment are RiskWatch, RiskPAC, and RiskCheck. I have examined all of these tools in depth, and they offer excellent capabilities in leading you IT decision makers through the risk analysis process. These tools are survey driven, and typically require the dedication of an expert project manager to drive the project to completion. The project manager needs to be sure that the respondents that are inputting the detailed asset, threat, and safeguard information are not skewing the values. Some respondents to the surveys these tools generate may try to skew the values to make it look like their assets are not at risk, anticipating high-risk levels with management incompetence. The dedicated project leader needs the full support of the executive management team in order to get the cooperation necessary to obtain the results of the risk analysis.
To find out more about these tools, visit the web sites of the company's that make them.
RiskWatch http://www.riskwatch.com
RiskPAC http://www.csciweb.com
RiskCheck http://www.norman.no/organization.shtml
You can naturally calculate risk analysis metrics manually. However, using the proper tool to guide you through the process will greatly increase your ability to actually generate a successful risk analysis report that everyone can understand.