This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Developing an Effective IT Risk Assessment Arsenal

Jump to: navigation, search

Developing an Effective IT Risk Assessment Arsenal

An agile approach to assessing IT risk is essential for any modern organisation. The range of IT assets to be protected is so great and the threats are so numerous that a rigid, monolithic approach will lose credibility when it is clearly not adding value. Yet a purely ad hoc approach is not ideal either; a structured, standards based, repeatable, auditable process is required in these times of increased focus on corporate accountability and responsibility.

This presentation will outline how to evaluate your IT Risk Assessment toolkit and determine if there are any gaps. Is all IT Change receiving the level of scrutiny it merits or are some risky propositions gliding in ‘under–the–radar’? If so we will look at how best to build a case for adopting something new in the current cost conscious climate.

We will identify potential stakeholders in the organisation and discuss some common requirements. The pain of change is well understood; something new should have minimal impact on existing way of doing things and integrate well with established reporting systems. We will also investigate the relevant standards and regulations in this area; it is well documented what open standards bring to systems and software development, but what benefits can they bring to a process like IT Risk Assessment? Above all it must be easy to demonstrate value and increased assurance in terms the stakeholders will understand.

Off-the-shelf methods such as STRIDE / DREAD, SARA and SPRINT may suit your needs. The alternative is to try to make an informal approach work or even develop your own methodology from scratch. We will discuss the relative merits of these and the principles that underpin them all. To illustrate we will share some of our own experiences and look at opinion from respected IT Security professionals in other organisations about what works for them.