The Risk Assessment Process

The Risk Assessment Process

The risk assessment process, using COBRA, is extremely flexible. A substantial number of approaches are supported. However, the default process usually consists of three stages:

• Questionnaire Building

• Risk Surveying

• Report Generation

During the first stage, via module selection or generation, the base questionnaire is built to fit the environment and requirements of the user.

The second stage is the survey process – Risk Consultant questions are answered by appropriate personnel and the information is securely stored.

For the third stage risk assessments and ‘scores’ are produced for individual risk categories, individual recommendations are made and solutions offered, and potential business implications are explained.

Each of these stages is managed by its corresponding system component: Questionnaire Builder, Risk Surveyor or Report Generator.

Questionnaire Builder

Questionnaire Builder constructs an appropriate risk questionnaire for the environment/system under consideration. Individual ‘Question Modules’ are specifically selected from the knowledge base.

Each module embraces a particular area of risk or a specific threat class (e.g. Logical Access, Physical Access, Networks, Development, Operations, etc).

The questionnaire building process can be performed either manually or automatically:

Automatic Questionnaire Building

With an automatic questionnaire build, the system creates a questionnaire that suits the user’s system/installation specifically. This is achieved through completion of the initial ‘Business’ or ‘Impact’ Questionnaire.

Configuration, business function(s) and many other factors are taken into consideration, as well as the financial significance of each area of the system and its potential for loss (direct or indirect). The business user can, therefore, be involved from the outset.

The Business (or Impact) Questionnaire covers each category in turn and upon completion generates a ‘significance level’ for each. This ‘significance level’ determines which question modules Questionnaire Builder will select for inclusion in the detailed questionnaire.

Manual Questionnaire Building

A manual questionnaire build may be desirable for a variety of reasons:

    • consideration of a specific aspect of security/risk
    • performing risk analysis in various proposed scenarios
    • analysis of all risk areas, even if some are not of real significance to the organisation.

The questionnaire is created by user selection of individual question module(s) from those defined to Risk Consultant.

Dynamic Building

Although the questionnaire is thus constructed, the user can return to the Questionnaire Builder at any stage to add or remove question modules.

Risk Surveyor

Risk Surveyor manages the questionnaire completion process. The question modules which comprise the questionnaire are completed individually, each by appropriate personnel.

Different modules can also be completed at different times, enabling scheduling to be based around personnel availability. The results are brought together at the report generation stage.

The Question Modules

Questions are of various formats; mandatory single response, optional single response, mandatory multiple response, optional multiple response, text response, and numeric response. Most are of a simple, multiple choice variety.

Full branching facilities are included, including the facility to branch to a secondary question module and return to the original. All input is validated and screens are of a standard format.

The ability to skip one or more questions (for later completion) is also provided, along with a ‘notepad’ facility to enable additional comments and notes to be recorded. In addition, further question modules may be dynamically generated as questions are answered and Risk Consultant obtains more information.

A comprehensive help facility is provided at both system and question level.

Report Generator

The Report Generator is used to produce the results from the completed questionnaire. The results are suitable for interpretation by both technical and non-technical management and are in the form of a professional business document.

Report Content

A number of report sections are provided: Recommended solutions and specific additional security control suggestions A descriptive assessment and relative risk score for each ‘risk category’ in each area considered A full impact analysis for the business or department Direct linkage between areas of risk and the potential financial and business implications. Report headings and the introductory text for each section can be changed and tailored to reflect user requirements and culture.

Output Channels

Reports can be produced on the PC monitor or on a printer. Output can alternatively be directed to a file. This enables import to word processing packages, if required.

System Control

A wide range of system parameters are user definable, including screen colours, sub-folders, etc.