Through securitymetrics.org I saw Matthew Rosenquist's great post and whitepaper for their Threat Agent Risk Assessment. Worth a look!
While there are many approaches to conduct an assessment e.g. NIST, OCTAVE, etc. my favorite step is how to best communicate the results to achieve optimal effect and action. Matthew refers to this last step as "Align strategy to target the most significant exposures." The ability to collaborate with the business and IT owner to possibly invest their time i.e. delay project, and money to mitigate risks is definitely an art. We dedicated an entire application to it.
I could be wrong but TARA looks very comprehensive and consuming, and appropriate for an Intel class enterprise. I'd like to see a series of standards for small, medium, and enterprise class security assessments with increasing levels of coverage and complexity. Only experience can tell when to apply a two page assessment vs. break the glass and roll out the 3 week version. Another area to pay equal air time is the effort of the assessment team to work with the IT or business group on implementing said controls and verifying risks are properly mitigated. I've seen these steps underestimated and stress the capacity of the team.
I think msft has done a wonderful job with their SDL threat modeling application. Have enterprise assessment applications matured to meet the current need, like TARA provides? I haven't seen all the GRC suites but they should be in the best position to deliver, or are they?
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!