Some folks within the 66ers group are busy doing SRAs and I met with some last night and wanted to pass along the following.
One of the techniques for doing an SRA that people use involves assigning the values High, Medium, and Low to the factors of likelihood and impact to assess the risk of a threat and vulnerability pair. No problem...very straightforward and relatively easy to do.
The problem is that using one of the popular risk matrices from the NIST publications, one can get a "low" value if one has the values Low and Low, Low and Medium, and Low and High....however...not all of these "low" values are the same. So keep this in mind when doing your SRAs because you want to differentiate and also assess the risk levels across these three "low" values, particularly when you are looking at the effectiveness (or not) of your current controls as well as what additional (if any) actions you plan to take to mitigate risk levels to appropriate levels in meeting the risk management requirement.
Just passing this along as I know some folks are running into this given some of the SRA work products I've seen.
------------------------------
► Next Study Group Ready to Start on 6/6 ◄
--------Frank Ruelas---------
------------------------------