Comments on: Security Template Exception (part 2) – The Assessment

By: Audit Trail Blog Archive » Risk Intrigue

Audit Trail Blog Archive » Risk Intrigue — Mon, 17 Nov 2008 18:14:05 +0000

[...] King (whose risk management blog is at computerweekly.com)? It seems Stuart believes Chris’s strategies for risk assessment are impractical. Chris, in a response, takes a stab at explaining how he and [...]

By: Rational Risk Management, ‘Angry Italians’, and Irrational Security Analysts | RiskAnalys.is

Mon, 17 Nov 2008 16:43:24 +0000

[...] you all had a great weekend. I had meant to point you earlier to a FAIR analysis that Chris Hayes did over at his Blog. But I’ve been a little busy, and before I could mention it, Stuart King put up a kind of [...]

By: Chris Hayes

Chris Hayes — Fri, 07 Nov 2008 02:20:00 +0000

@ Christian – Thank you so much for the kind feedback! If you have any suggestions on any specific types of scenarios in the future – let me know! Take care!

By: Christian

Christian — Fri, 07 Nov 2008 02:12:29 +0000

Awesome series of posts Chris! I’m a huge advocate of the FAIR methodology and have helped our internal info risk folk also start to leverage some of the methodology and language in to our existent, legacy processes.

What is really interesting is the way you have documented out the process is very similar to how I’ve used the FAIR method to document and assess info risk scenarios here at work. As you highlight, walking through the BRAG is a very effective way to do a quick review of a particular scenario.

Another thing that I really enjoyed about this series was bringing quite common scenarios out into the open. I’m all for the concept of ‘open’ RA, particularly because there are a number of scenarios out there that multiple companies are facing, and whilst some of the context is different per company, people can still accommodate for that.

I’ll definitely be sharing these posts with some colleagues.

Cheers!