The Risk Assessment Process
The risk assessment process, using COBRA, is extremely flexible. A substantial number of approaches are supported. However, the default process usually consists of three stages:
• Questionnaire Building
• Risk Surveying
• Report Generation
During the first stage, via module selection or generation, the base questionnaire is built to fit the environment and requirements of the user.
The second stage is the survey process – Risk Consultant questions are answered by appropriate personnel and the information is securely stored.
For the third stage risk assessments and ‘scores’ are produced for individual risk categories, individual recommendations are made and solutions offered, and potential business implications are explained.
Each of these stages is managed by its corresponding system component: Questionnaire Builder, Risk Surveyor or Report Generator.
Questionnaire Builder constructs an appropriate risk questionnaire for the environment/system under consideration. Individual ‘Question Modules’ are specifically selected from the knowledge base.
Each module embraces a particular area of risk or a specific threat class (e.g. Logical Access, Physical Access, Networks, Development, Operations, etc).
The questionnaire building process can be performed either manually or automatically:
Automatic Questionnaire Building
With an automatic questionnaire build, the system creates a questionnaire that suits the user’s system/installation specifically. This is achieved through completion of the initial ‘Business’ or ‘Impact’ Questionnaire.
Configuration, business function(s) and many other factors are taken into consideration, as well as the financial significance of each area of the system and its potential for loss (direct or indirect). The business user can, therefore, be involved from the outset.
The Business (or Impact) Questionnaire covers each category in turn and upon completion generates a ‘significance level’ for each. This ‘significance level’ determines which question modules Questionnaire Builder will select for inclusion in the detailed questionnaire.
Manual Questionnaire Building
A manual questionnaire build may be desirable for a variety of reasons:
- consideration of a specific aspect of security/risk
- performing risk analysis in various proposed scenarios
- analysis of all risk areas, even if some are not of real significance to the organisation.
The questionnaire is created by user selection of individual question module(s) from those defined to Risk Consultant.
Although the questionnaire is thus constructed, the user can return to the Questionnaire Builder at any stage to add or remove question modules.
Risk Surveyor manages the questionnaire completion process. The question modules which comprise the questionnaire are completed individually, each by appropriate personnel.
Different modules can also be completed at different times, enabling scheduling to be based around personnel availability. The results are brought together at the report generation stage.
The Question Modules
Questions are of various formats; mandatory single response, optional single response, mandatory multiple response, optional multiple response, text response, and numeric response. Most are of a simple, multiple choice variety.
Full branching facilities are included, including the facility to branch to a secondary question module and return to the original. All input is validated and screens are of a standard format.
The ability to skip one or more questions (for later completion) is also provided, along with a ‘notepad’ facility to enable additional comments and notes to be recorded. In addition, further question modules may be dynamically generated as questions are answered and Risk Consultant obtains more information.
A comprehensive help facility is provided at both system and question level.
The Report Generator is used to produce the results from the completed questionnaire. The results are suitable for interpretation by both technical and non-technical management and are in the form of a professional business document.
Reports can be produced on the PC monitor or on a printer. Output can alternatively be directed to a file. This enables import to word processing packages, if required.