Date:


Home
What We Do
Services
Products
   Controls Assessment
   Risk Assessor
About

Blog
Books

Email Us
contact@execia.com

Other Links
ENISA
The Jericho Forum
The Jericho Blog
InfoBOOM
View From The Bunker

EXECIA RISK ASSESSOR

About The Tool

The ExecIA Risk Assessor product (ERA) is designed to provide a simple methodology for carrying out the following information assurance actions:
  • Identifying the importance of information assets to the business
  • Assessing threats and vulnerabilities to information assets
  • Measuring the value of information assurance controls
  • Indicating priorities for information asset risk management
  • Monitoring improvements in risk management
Risk Assessor has been formulated to reduce the complexity of risk assessment as far as possible. One way in which this is achieved is through the use of a restricted, but widely applicable selection of parameters for business objectives and processes, threats and vulnerabilities. The choice of these parameters has been made as a result of many years of experience in the practical application of risk assessment and with reference to other risk assessment methodologies and standards.

The result of this simplification is that the assessment methodology can realistically be used by all sizes of organisation, even the smallest. Furthermore, the products’s novel system of relating asset risk impact to business objectives and processes makes it simpler to relate information assurance risk to business goals and requirements.

Risk Assessor's information asset risk management methodology is also simplified; and is based on pre-selected controls. These are derived from the ExecIA Controls Assessment (ECA) product. This allows organisations to determine their current capability maturity in 31 information assurance risk control areas. The 31 control areas have been determined as a result of analysis of controls within international standards such as ISO/IEC 27002:2005, ITIL and CObIT. For further details see the relevant ExecIA data sheet.

Concept and Process Flow

Risk may be defined as the probability that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organisation . The concept of the flow of risk from threats, vulnerabilities to potential harm (or impact) is shown opposite. Risk Assessor is designed to capture significant information about threats, vulnerabilities and potential impact on assets. The product does this in the most rapid and simple way possible. It analyses the information obtained, using a repeatable methodology, in order to assess the risk to an organisation’s business.

Risk Assessment and Management Report

The primary output of the product is a report which ties together the asset groups along with the other information gathered about threats, vulnerabilities and the impacy assessments.

Risk Assessor takes account of the fact that it is not possible for any organisation to manage all the risk to any group of its assets. For example, the risk to laptops will be inherently harder to control than that of assets that remain within protected areas of the organisation (such as databases). The organisation will therefore pragmatically wish to set a greater degree of residual risk for some asset groups.

Risk Assessor calculates the actual percentage of risk managed on the basis that the controls in place will be able to act only on the percentage of risk remaining after the residual risk has been accepted. The final analysis represents a recommendation of the priority order of asset groups when action is taken to treat risks. This is calculated from the aggregated priority orders of impact, threat, vulnerability, total risk and percentage of risk managed.

Colour coding of results is used throughout tool. Bright red is used for the value of most potential concern; shading to bright green for the issue of least concern.

Downloads

  • Coming soon: Risk Assessor Datasheet
| Home | Contact | Privacy |
(C) ExecIA LLP 2011