CRAMM supposes that it is cost prohibitive to eliminate risk; but that you can cost effectively mitigate risk by structured analysis of assets. Uses meetings, interviews, and questionnaires for data collection. Expresses Vulnerability the likelihood that a threat may occur as: very high, high, medium, low or very low.
Expresses Risk the likelihood that a threat could exploit the Vulnerability as: high, medium or low. CRAMM has three stages:. Risk Assessment comprises stage 1, and about half of stage 2; Risk Management the balance of stage 2 and stage 3. At each stage there is discussion and agreement with appropriate level management.
This is where awareness builds in management of the issues. One of the most difficult aspects of risk management is justifying the costs involved, which may be very high. Traditional cost vs.
CRAMM also involves the entire organization management, IT staff and Customers in the process, creating buy-in and acceptance of the result of your assessment. Without the CRAMM software, you can approximate a CRAMM session using some paper, pencils, office tools like spreadsheets and word processors, the knowledge of your staff, the security Incidents that have occurred, and of course, news about the latest hacker exploits. On the other hand, you wont spend thousands of dollars and you will still find it capable and valuable!
Data validation Figure 1. Following is a step plan that involves IT staff and the Business, enhances the IT infrastructure products and organization people, process security, and provides sound financial justification to the business for the expenditures required.
For a, and c above, have the data owner first choose a category for each, then a value within the category. For example, for Integrity, have them choose first from low, moderate, high and very high. Then, if they chose moderate in this case, ask them to rank the impact on a scale of 4 to 7. If there are existing measures already in place to control risks identify them during this stage. Update the grid and move to stage 2. The concepts of CRAMM applied via formal methods like these ensure consistent identification of risks and countermeasures, and provides cost justification for the countermeasures proposed.
All Rights Reserved. CRAMM follows a rigid format. The goal here is to identify and value assets. Threat and vulnerability assessment. Maturity level of the Information system The product gives a means of measurement for the maturity of the information system security.
Tools supporting the method List of tools that support the product. Technical integration of available tools Particular supporting tools see C-7 can be integrated with other tools. Organisation processes integration The method provides interfaces to existing processes within the organisation. Method provides interfaces to other organisational processes : No. Flexible knowledge databases It is possible to adapt a knowledge database specific to the activity domain of the company.
We use cookies on our website to support technical features that enhance your user experience. We also use analytics. To opt-out from analytics, click for more information. Navigation menu. Trial before purchase Details regarding the evaluation period of the tool. CD or download available : Evaluation copy Identification required : Yes Trial period days : 30 days.
Tool architecture Specify the technologies used in this tool. Target public Defines the most appropriate type of communities for this tool. Level of detail Specify the target kind of people for this tool based on its functionality. Compliance to IT Standards List the national or international standard this tool is compliant with.
Tool helps towards a certification Specify whether the tool helps the company toward a certification according to a standard. Training Information about possible training courses for this tool. Skills needed Specify the skills needed to use and maintain the solution. Tool Support Specify the kind of support the company provides for this product. Organization processes integration Describe user roles this tool supports. Interoperability with other tools Specify available interfaces or other ways of integration with other tools.
0コメント