September 24, 2004

Risk Analysis and Management Methodology For Information Systems

Javier Cao Avellaneda pointed me last night to an interesting Procedure Handbook called RISK ANALYSIS AND MANAGEMENT METHODOLOGY FOR INFORMATION SYSTEMS which has some interesting reading on an approach to threat modeling. Code named MAGERIT, it seems to be developed based on ISO 13335, ITSEC criteria and ISO 17799.

Javier says it studies the risks that an information system supports as well as the related environment. He defines risk as the possibility of damage or injury to ocurr in the system according to the existing threats. MAGERIT recommends the appropriate safeguard functions and mechanisms that should be taken, in order to know, prevent, impede, reduce or control the investigated risks.

I haven't had a chance yet to do a detailed read, but through a quick glance it looks pretty interesting. At a heafty 200+ pages, its something you will need to put some time aside for. If you are into threat modeling, it might be worth your time to check it out.

Interesting stuff.

Posted by SilverStr at September 24, 2004 11:37 AM | TrackBack
Comments

There is a mistake with the link associated to my name. My new blog is http://seguridad-de-la-informacion.blogspot.com and i supouse that in my comment i firmed with seguridad-para usuarios.blogspot.com, my old blog. I would like to change the link.

Regards,

Posted by: Javier Cao Avellaneda at September 27, 2004 12:47 AM