[Owasp-leaders] Fwd: [SAMM] Estimating Business Risk Profile

Ian Gorrie ian.gorrie at owasp.org
Wed Nov 30 19:03:04 UTC 2016

There's a few ways to look at this depending on the executive culture
involved.  Unless they're a financial or insurance related, most have no
context for affirmative risk acceptance and will lean very heavily on any
who bring it up.  Be prepared, because you usually only get one shot at a
green fields conversation.

Also there's a lot of strange BS in this area, so try to keep things
practical and in context of what is relevant to your audience; don't try to
go too far in doing an overall risk assessment for everyone/everything
right away.

Here's what I would suggest taking a look at.

[[ see attached ]]
ISO and FISMA (for feds) are the usual choices in my experience for risk
management and acceptance exercises.  There are vendor tools that can make
walking through the ISO questionnaires an interactive process.

Some context into the mess and overlap of internal audit and pure-play risk

You'll notice that none of these are ever the same unless you're employing
a giant firm with their proprietary methodology to do it.

It's the exercise that's important, not the flavor of the kool-aid.

Please let me know if this is helpful feedback.


On Wed, Nov 30, 2016 at 10:00 AM, Seba <seba at owasp.org> wrote:

> hi,
> good question from John below - any pointers/content we can provide to him?
> kind regards
> Seba
> ---------- Forwarded message ---------
> From: McParland, John <john.mcparland at cgi.com>
> Date: Fri, Nov 4, 2016 at 9:40 AM
> Subject: [SAMM] Estimating Business Risk Profile
> To: samm at lists.owasp.org <samm at lists.owasp.org>
> Hi all,
> one of the first steps in taking my organisation on it's SAMM journey is
> the activity "Estimate the Business Risk Profile" (Strategy and Metrics
> Level 1, Activity A).
> I've been considering how I should do this and I want to obtain or develop
> a set of interview questions focused around the types of solutions and
> services my organisation builds, the perceived security risks, and impact
> to the business of those risks.
> However I wondered how others have approached this - in particular if
> there are any resources I could adopt or customize for this activity?
> Thanks,
> *John McParland MIET CEng* | System Architect, ODSC
> Health Local and Scotland | CGI
> CGI Ltd (UK)
> Second Floor, Inovo Building, 121 George St, Glasgow, UK, G1 1RD
> M: +44 7920 183 019 <+44%207920%20183019>
> john.mcparland at cgi.com | www.cgi-group.co.uk
> CGI IT UK Limited. A CGI Group Inc. Company
> Registered Office: 250 Brook Drive, Green Park, Reading RG2 6UA,
> United Kingdom. Registered in England & Wales - Number 947968
> CONFIDENTIALITY NOTICE: Proprietary/Confidential Information belonging to
> CGI Group Inc. and its affiliates may be contained in this message. If you
> are not a recipient indicated or intended in this message (or responsible
> for delivery of this message to such person), or you think for any reason
> that this message may have been addressed to you in error, you may not use
> or copy or deliver this message to anyone else. In such case, you should
> destroy this message and are asked to notify the sender by reply e-mail.
> _______________________________________________
> SAMM mailing list
> SAMM at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/samm
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161130/5458b58d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: risk appetite and tolerance.png
Type: image/png
Size: 114822 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161130/5458b58d/attachment-0001.png>

More information about the OWASP-Leaders mailing list