[Owasp-leaders] Fwd: [SAMM] Estimating Business Risk Profile

Ian Gorrie ian.gorrie at owasp.org
Wed Nov 30 19:03:48 UTC 2016

Whoops.  Sent to the wrong list.  Please ignore/heckle me.


On Wed, Nov 30, 2016 at 11:03 AM, Ian Gorrie <ian.gorrie at owasp.org> wrote:

> There's a few ways to look at this depending on the executive culture
> involved.  Unless they're a financial or insurance related, most have no
> context for affirmative risk acceptance and will lean very heavily on any
> who bring it up.  Be prepared, because you usually only get one shot at a
> green fields conversation.
> Also there's a lot of strange BS in this area, so try to keep things
> practical and in context of what is relevant to your audience; don't try to
> go too far in doing an overall risk assessment for everyone/everything
> right away.
> Here's what I would suggest taking a look at.
> [[ see attached ]]
> ISO and FISMA (for feds) are the usual choices in my experience for risk
> management and acceptance exercises.  There are vendor tools that can make
> walking through the ISO questionnaires an interactive process.
> http://www.iso.org/iso/iso_31000_for_smes.pdf
> Some context into the mess and overlap of internal audit and pure-play
> risk managers
> https://iaonline.theiia.org/blogs/marks/2016/Pages/The-
> Value-Gap-Between-Internal-Audit-and-Our-Stakeholders.aspx
> https://www.iia.org.uk/media/266012/rbia_overview.jpg
> You'll notice that none of these are ever the same unless you're employing
> a giant firm with their proprietary methodology to do it.
> It's the exercise that's important, not the flavor of the kool-aid.
> Please let me know if this is helpful feedback.
> -i
> On Wed, Nov 30, 2016 at 10:00 AM, Seba <seba at owasp.org> wrote:
>> hi,
>> good question from John below - any pointers/content we can provide to
>> him?
>> kind regards
>> Seba
>> ---------- Forwarded message ---------
>> From: McParland, John <john.mcparland at cgi.com>
>> Date: Fri, Nov 4, 2016 at 9:40 AM
>> Subject: [SAMM] Estimating Business Risk Profile
>> To: samm at lists.owasp.org <samm at lists.owasp.org>
>> Hi all,
>> one of the first steps in taking my organisation on it's SAMM journey is
>> the activity "Estimate the Business Risk Profile" (Strategy and Metrics
>> Level 1, Activity A).
>> I've been considering how I should do this and I want to obtain or
>> develop a set of interview questions focused around the types of solutions
>> and services my organisation builds, the perceived security risks, and
>> impact to the business of those risks.
>> However I wondered how others have approached this - in particular if
>> there are any resources I could adopt or customize for this activity?
>> Thanks,
>> *John McParland MIET CEng* | System Architect, ODSC
>> Health Local and Scotland | CGI
>> CGI Ltd (UK)
>> Second Floor, Inovo Building, 121 George St, Glasgow, UK, G1 1RD
>> M: +44 7920 183 019 <+44%207920%20183019>
>> john.mcparland at cgi.com | www.cgi-group.co.uk
>> CGI IT UK Limited. A CGI Group Inc. Company
>> Registered Office: 250 Brook Drive, Green Park, Reading RG2 6UA,
>> United Kingdom. Registered in England & Wales - Number 947968
>> CONFIDENTIALITY NOTICE: Proprietary/Confidential Information belonging to
>> CGI Group Inc. and its affiliates may be contained in this message. If you
>> are not a recipient indicated or intended in this message (or responsible
>> for delivery of this message to such person), or you think for any reason
>> that this message may have been addressed to you in error, you may not use
>> or copy or deliver this message to anyone else. In such case, you should
>> destroy this message and are asked to notify the sender by reply e-mail.
>> _______________________________________________
>> SAMM mailing list
>> SAMM at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/samm
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161130/840f870c/attachment.html>

More information about the OWASP-Leaders mailing list