I’ve been talking with a lot of companies lately about risk. Many of them want to formalize their approach to classifying systems, data, business processes, people, etc. using a more formal risk program, such as FAIR, OCTAVE, and the like. These models often seem fairly complex, and the net effect I’m seeing is that lots of people are talking about them but most of them are not doing anything because they feel like daunting projects.
One method I’ve seen that is starting to work is a lot simpler. In the vein of “just start something” some of the organizations I’m working with are doing some quick & dirty risk classification (high/medium/low, red/orange/yellow, etc.) to help them segregate their infrastructure, applications, data, and roles into meaningful buckets that can be used to drive security rigor, investment, and response.
While simple, I think this approach works very well. After all, if you think of it in terms of your personal life, you probably own some things you’d feel comfortable leaving out on the front lawn all night, but you have other things (your grandmother’s ring, your big-screen TV, etc.) that you would never leave unprotected and you’d want to make sure you knew those things were safely locked up every night.
You probably have a pretty good sense for the relative importance of this components of your IT infrastructure, data, and related processes. If you don’t have risk model in place, don’t wait – start doing some basic categorization to help you align what you’re doing with the importance of the things you’re securing.
What’s your experience? Are there any lightweight models you’ve seen that work for you and your business?