A guide to conducting efficient Computer Risk Assessment

A survey of different companies reveals that most of them have no methodology when it comes to risk management. It is quite surprising though, but it is true.

The banking industry is much regulated, so they appear to practice a methodology. For instance, in the UK, most governmental or finance institutions use the UK's CRAMM - Risk Assessment and Management Methodology.

There are also a couple of well-known Risk Management methodologies, such as OCTAVE -Operationally Critical Threat, Asset, and Vulnerability Evaluation; Security Concepts and Relationships by Common Criteria's ISO15408.

The choice of a risk methodology should be carefully evaluated. It should be done organisation by organisation. The adoption of a particular risk methodology must be carefully evaluated. Laws and compliance do affect why organisation favour a specific risk methodology to the other.

What factors affect risk assessments and what methodologies are employed? See [1] .

Cyril Onwubiko and Andrew Lenaghan, "Managing Security Threats and Vulnerabilities for Small and Medium Enterprises"; Proceedings of the 5th IEEE International Conference on Intelligence and Security Informatics (IEEE ISI 2007), May 23-24, 2007, in New Brunswick, New Jersey. abstract publication

Security Policy

A security policy is a formal statement that governs who gets access to organisations’ resources, what they can do or should not. A security policy is therefore defined as a formal statement of the rules that govern people who are given access to an organization's technology and information assets (see Site Security Handbook [1]).

A security policy encompasses processes and procedures (rules) required by an organisation to protect its information assets, and to prosecute personnel that default. It is pertinent to note that one significant characteristic of a security policy is that it must address specific security issues of the organisation. That is, it must be “point–specific”. For example, an ‘Acceptance Use’ policy would cover the rules and regulations for appropriate use of the computing facilities [2]” While an ‘Email Policy’ would address rules and regulations for accepted use of corporate email facilities. And a ‘Cryptographic Standards’ policy would state the Encryption Algorithms, Hash Algorithms, Pretty-Good-Privacy (PGP)-type and Key Sizes that are allowed for use in exchange of corporate information within and outside the organisation. Most activities engaged in an organisation must be carefully stipulated in an organisation's security policy.

The practice of copying 'verbatium' another organisation's security policy is discouraged. Because, security policies must be specific and must apply to an organisation. When organisations' copy security policy, chances are that the copied policies may never apply to them.


1: B. Fraser (1997), “The Site Security Handbook”, RFC2196, [Online]: http://www.faqs.org/rfcs/rfc2196.html [Accessed 12th Dec. 2006.
2: SANS – (SysAdmin, Audit, Network and Security) Institute http://www.sans.org/resources/policies/ [Accessed 5th Dec. 2006]

Security Standards

Security management standards are distinct set of information security guidelines that consist of processes, procedures and training that assist security personnel in implementing the right set of security controls. Security controls enable organisations manage, and protect their computer, information and network services and resources. An information security management standard should be carefully evaluated vis-à-vis the organisations security requirements where the standard will be implemented before a choice is made on which information management standard is chosen.

Improper implementation or selection of an inappropriate information management standard can have significant implication to the assets in which it aims to protect. Security controls consists of mechanisms that provide guidance to connections seeking access to information assets, such as authentication, authorisation and auditing. For full details on security standards contact the author - Cyril.