Why Measure Risk?
Does this question seem innocuous to you? Tell me about the newest PDA or wireless LAN configuration. Right? Well, with all due respect to you faithful readers out there, your assumption may be wrong. With the implementation of the Gramm-Leach-Bliley Act, the Sarbanes Oxley Act and the Patriot Act, the art of risk taking in the financial services industry has been elevated to a new art form. Not only are we being mandated to become more vigilant in our analyses of credit risk, business recovery risk, hardware, fault tolerance risk and budgetary expenditure risk but we are also being entrusted with the responsibility of assigning those risk values.

Risk and Valuation
In that respect our initial question should be, why do we need to measure risk? Measuring risk is an exercise in valuation. Why assign values to your production processes? From an empirical standpoint this question seems rather easy. When we donate items to charity, do we give up our newest and best? If we are rushing into a burning building to rescue five known occupants, which one do we go for first? The youngest? The oldest? The one in the wheelchair? The one that's blind? The one who is sleeping? more>>

I agree that the app owner should determine the risk.

But in the companies I've been in, no one wants to spend the time or money on a risk assessment. IMHO, it's just too dangerous. Once you have a RA on paper, then you have to fix it (legal implications). And they don't want to do that.

Most companies and workers do not believe that anything bad will ever happen to them. It's kinda like dying. Always happens to someone else.

Your points are definatly valid BN But, in the financial services industry a risk assessment is required by the security audits they go through. As to if the assessments are worthy of any notice is determined by managments support. No support menas nothing more than another document to be filed away.

I agree that the app owner. he is right..

Come on, Sarbanes-Oxley! YAHOO!

Starting to work for me, finally.......

Much better than y2k! Only Sarbox never ends, never ends, never ends.

Sarbox brings accountability to a quarter by quarter basis rather than only a year-end basis.

RISK.....How dangerous a concept to reality can be. I recently installed a wireless system for a local small business, no firewall, no security just anti-virus running on each individual PC. I explained the risk involved and they simply thought it was not worth the money. They said they would call me if they had any problems. Well I got my first service call in less that 2 weeks. I explained the cost of my service call just to have me onsite, plus any damage repair. Evidently they have been hacked and some files are missing. They want to know how much it would cost to get those files back. Real question from real people. I'll let you know how things turn out.

Ed

The interesting part that I find and I'm sure some of you have encountered is the CFO of the organization. You can have the CIO and CEO sold but to get the CFO to play ball sometimes is a bit harder as there the ones to cut the check.

I'm interested to read the responses on this. ie what I like to call " The showdown with the CFO"

Hoping this thread is still alive.

Frankly, managing IT risks is what I essentially do for Uncle Sam. It's a necessary part of the Certification & Accreditation process. Risk Management in the gubment is codified in many regs and in law, yet I know as well as anyone that it is resource intensive - meaning it takes moola to do. NIST Special Publication 800-30 and 800-37 are replete with Risk Management requirements that are designed to support C&A. Federal agencies haver no choice in the matter. They must do them or risk losing OMB budget funding.

If you are in that line of work, you may want to call the local IT department of your nearest Federal Office Anything. Many are under the gun to get Certified and Accredited NOW, and they may look favorably (meaning hire you) upon anyone willing to help them get C&A'ed.

Ahh the never ending CA checklist. I remember running back and forth between 100 machines to complete the C2config tool, to meet the midnight deadline the OIC had set

The NIST CSRC website is considered the computer security bible for federal practitioners. http://csrc.nist.gov/

If you want to know what pushes the majority of the US gubment's buttons when it comes to computer security, just read the Special Publications 800 series here:

http://csrc.nist.gov/publications/nistpubs/index.html

I think your site provides an excellent bridge between the official rigor of the policy side and the chaotic reality of the practical side. Mapping one to the other is often impossible, but it gets me through the day.