Final Recommendations

After the risk assessment is complete, final recommendations should be prepared on two levels, (1) a categorical set of recommendations in an executive summary, and (2) detailed recommendations in the body of the risk assessment report. The executive summary recommendations are supported by the integrated risk model reflecting all threat risks before and after selected safeguards are applied, the average annual cost of the selected safeguards, and their expected risk reduction benefit.

The detailed recommendations should include a description of each selected safeguard and its supporting cost benefit analysis. Detailed recommendations may also include an implementation plan. However, in most cases, implementation plans are not developed as part of the risk assessment report. Implementation plans are typically developed upon executive endorsement of the recommendations.

AUTOMATED TOOLS

The following products represent a broad spectrum of automated risk assessment tools ranging from the comprehensive, knowledge-based expert system BDSS™ to RiskCalc, a simple risk assessment shell with provision for user-generated algorithms and a framework for data collection and mapping.

ARES, Air Force Communications and Computer Security Management Office, Kelly AFB, TX.

@RISK, Palisade Corp., Newfield, NY.

Bayesian Decision Support System (BDSS), OPA, Inc., The Integrated Risk Management Group, Petaluma, CA.

Control Matrix Methodology for Microcomputers. Jerry FitzGerald & Associates, Redwood City, CA.

COSSAC, Computer Protection Systems Inc., Plymouth, MI.

CRITI-CALC, International Security Technology, Reston, VA.

CRAMM, Executive Resources Association, Arlington, VA.

GRA/SYS, Nander Brown & Co., Reston, VA.

IST/RAMP, International Security Technology, Reston, VA.

JANBER, Eagon, McAllister Associates Inc., Lexington Park, MD.

LAVA, Los Alamos National Laboratory, Los Alamos, NM.

LRAM, Livermore National Laboratory, Livermore, CA.

MARION, Coopers & Lybrand (U.K.-based), London, England.

Micro Secure Self Assessment, Boden Associates, East Williston, NY.

Predictor, Concorde Group International, Westport, CT.

PRISM, Palisade Corp., Newfield, NY.

QuikRisk, Basic Data Systems, Rockville, MD.

RA/SYS, Nander Brown & Co. Reston, VA.

RANK-IT, Jerry FitzGerald & Associates, Redwood City, CA.

RISKCALC, Hoffman Business Associates Inc., Bethesda, MD.

RISKPAC, Profile Assessment Corp., Ridgefield, CT.

RISKWATCH, Expert Systems Software Inc., Long Beach, CA.

The Buddy System Risk Assessment and Management System for Microcomputers, Countermeasures, Inc., Hollywood, MD.

SUMMARY

While the dialogue on risk assessment continues, management increasingly is finding utility in the technology of risk assessment. Readers should, if possible, given the culture of their organization, make every effort to assess the risks in the subject IT environments using automated, quantitatively oriented tools. If there is strong resistance to using quantitative tools, then proceed with an initial approach using a qualitative tool. But do start the risk assessment process!

Work on automated tools continues to improve their utility and credibility. More and more of the “Big 6” and other major consultancies, including those in the insurance industry, are offering risk assessment services using, or planning to use, quantitative tools. Managing risk is the central issue of information security. Risk assessment with automated tools provides organizational management with sound insight on their risks and how best to manage them and reduce liability costs effectively.