I have used the CIA-rating in the past. See: http://en.wikipedia.org/wiki/Information_security

This is an industry standard framework for information security.

Hope this will get you started.

Links:

• http://en.wikipedia.org/wiki/Information_security

posted June 25, 2007

I am currently reading an interesting and well written book that might help: Security Metrics, by Andrew Jaquith

Metrics have typically been a bugaboo when it comes to security. As is quoted on the cover: "You cannot improve what you cannot measure."

So far this looks like it will be a very good reference book on the subject.

http://tinyurl.com/3drg4b

Links:

• http://tinyurl.com/3drg4b

posted June 25, 2007

Hi Arjen,
I have just answered a similar question. Every industry has a specific risk level definition.

There are several frameworks to manage and measure risk. Once risk is measured, the controls are applied accordingly. It is not like a predefined black book of Security levels that dictate security controls in most of the risk systems. These levels are relative so the safeguards are not expected to be the same.

For risk management options check
FRAP, FIRM, OCTAVE, DRAM, CRAMM, NIST 800-30, ISO 27005 , ISACA are the initial ones that come to mind as a framework. The most suitable ones would be based on your environment, operation and resources.Check the following URL: http://www-t.zhwin.ch/ui/swp/documents/risk_assessment_approaches_f_136894.pdf

For measurement and metrics:
I do recommend following the ISO 27004 framework for Information Security measurement and metrics. ISO 27004 is still in draft, you can also use a British Standards Institute document (BSI) BIP0074. ISO requires an well defined processes and Information Security Management System (ISMS). This duo will ease your job to measure the effectiveness of information security.

Let me know if you have a specific question,
regards,
- yinal ozkan

posted June 25, 2007

There are risk management standards in ISO and in several industry practices. Similar standards are also available for security.

One of the simple method is to classify the risk and security perceptions under several classifications( severity, detection, scale, occurance, impact, potential loss, etc..), give a rating and collective effects are computed to initiate corrective actions to mitigate the risk.

posted June 25, 2007

Couple of perspectives to answer your question:

If you are looking for an automated Risk measurement and management solution - you may want to check Skybox. The tool aggregates data from multiple sources and analyses it against risk models and provides a calculated risk / exposure view. (This is more from an Infrastructure security point of view)

Measurement or quantification of a risk could also result in choice of an appropriate compensating control eg an online transaction with high risk probabiltity could have a "higher" security level imperative. This is the logic that many solutions around the area of Fraud prevention revolve. Here is where the company through historical data /models arrived at a risk quantification model which then translates to required security levels

If you are looking at business risk measurement you would have to also build on one of the assessment framework to arrive at some quantifyable metrics. eg BCP/DR

Trust this helps !

posted June 25, 2007

Since you are in the insurance business, I'll assume you know all about risk assessment in general :-)

Folks above have mentioned many acronymic security standards, and they are all very important for the areas in which they are applied. I believe the issue is two sided though.

Generally, these models do not acknowledge the idea of 'risk/reward' as opposed to 'risk/exposure'. There is always a cost to improved security in any venue.. essentially the first thing I do before I even start thinking in 10 letter acronyms is to decide what is the reward for -taking- a risk as opposed to -not- taking it. That is the sticky bit to quantify.. not the technical risk assessment process, which will deal with quantifying the actual risk on a scale of other risks, metrics and processes.

So, in other words, do I gain something from taking a risk or not? If not, don't take it! If yes, look at -what- I gain and decide if the risk is worth looking at. You start from a position of zero risk (a completely isolated system) and move outwards towards the functionality you require. Each risk you take is evaluated with an appropriate model, depending on the business needs you are filling.

Some folks call this an 'Onion Skin' approach. Or, at least, I do. :-)

Good luck!

posted June 26, 2007

In order to know your risk profile you need to know your business, environment and users. If you are fortunate enough to work in an environment which forces access controls then you have a slightly easier job of it.
In an environment that requires more relaxed access to systems your risk profile is oviously higher.

Any online company has a certain threat profile. the best way to asses exactly your threat profile is by understanding what attack(s) you are being exposed to or are even having occuring against your network - both internal and external.

There are many standards and recommendations for locking your environment down but then you hit the paradox of how much security is too much? do you block legitimate users in order to protect data? how many hoops do you put them through?
Its here that a bank understandably has more security and challenge/response than a clothing store but both can be used to access confidential data.

It's an ongoing battle but the key to it is information. Understand your risks - Even if you cannot fix them today knowing about them puts you one level up on most others.

posted June 27, 2007

NIST-60 defines how to assign a risk level, and therefore a specific set of controls, to information system based on the importance of the system to your organization. E.g., systems which threaten loss of life are automatically High, but so are systems whose absence would cripple the organization for an extended time. It is a bit vague, though. I think a better system is the one used by the National Security Agency, which measures the impact of loss of confidentiality, integrity or availability separately, multiplies by the specific financial impact of that loss, etc. I'm not sure if that method is publicly available on their web site; it's not classified. Let me know if you want more specifics.

Links:

• http://www.iatrp.com

posted June 27, 2007

with reguards to Web application security, you might want to look into Application layer Fire Walls. that will address things like forceful browsing, cross site scripting, SQL injection, poisened cookies and many others.

Citrix (the company I work for) has one that has the PCI ( payment card industry) 's stamp of approval. It enforces a positive security model, there by also protecting from even a D-Day attack.


Josh Darville - Southern California Territory Manager
Josh.Darville@Citrix.com
Ph 954-229-6826
Fx 954-267-8421
http://www.linkedin.com/in/joshdarville
Yahoo IM - darville2007

posted June 27, 2007