What do you use for Risk Management?



  • I am in the process of implementing SimpleRisk in organization. It's an open source risk managment system. For our purposes, I asked for paid extras to the product. I finally received the licensing last week. I am documenting risks and creating flows for data custodians and data custodian's management approval


  • Service Provider

    Nothing formal. Not sure that I know anyone that is doing formal processes for that.



  • Hit 'Enter' and pray.
    Just kidding. No software or product used, just a list of things i can think of that might cause problems. DIdnt even know such products existed, going to look at this.


  • Service Provider

    Yeah, certainly nothing formal.



  • @scottalanmiller said in What do you use for Risk Management?:

    Nothing formal. Not sure that I know anyone that is doing formal processes for that.

    Really? It's pretty much the only way to go anymore. How are you going to know which servers have which risks otherwise? Not to mention that not all risks or vulnerabilities can be fixed due to certain circumstances. Upgrading Java or doing an OS patch could break a business critical application.

    Exceptions and reasons why certain vulnerabilities can't be fixed should be documented. For example if you hacked because you are unable to patch a certain application due to vendor requirements, it's documented and you are CYA



  • It is especially necessary if you gave many different data custodians. There needs to be a central repository.


  • Service Provider

    @IRJ said in What do you use for Risk Management?:

    @scottalanmiller said in What do you use for Risk Management?:

    Nothing formal. Not sure that I know anyone that is doing formal processes for that.

    Really? It's pretty much the only way to go anymore. How are you going to know which servers have which risks otherwise? Not to mention that not all risks or vulnerabilities can be fixed due to certain circumstances. Upgrading Java or doing an OS patch could break a business critical application.

    Exceptions and reasons why certain vulnerabilities can't be fixed should be documented. For example if you hacked because you are unable to patch a certain application due to vendor requirements, it's documented and you are CYA

    SMB, management doesn't analyze risk.



  • @scottalanmiller said in What do you use for Risk Management?:

    @IRJ said in What do you use for Risk Management?:

    @scottalanmiller said in What do you use for Risk Management?:

    Nothing formal. Not sure that I know anyone that is doing formal processes for that.

    Really? It's pretty much the only way to go anymore. How are you going to know which servers have which risks otherwise? Not to mention that not all risks or vulnerabilities can be fixed due to certain circumstances. Upgrading Java or doing an OS patch could break a business critical application.

    Exceptions and reasons why certain vulnerabilities can't be fixed should be documented. For example if you hacked because you are unable to patch a certain application due to vendor requirements, it's documented and you are CYA

    SMB, management doesn't analyze risk.

    I could still see it as a good tool for IT to document any vulns they cannot fix and associated emails with the vendor that prove you've done your due diligence.


  • Service Provider

    Not a bad idea, will have to check out some software for it.



  • I love this idea and will keep it in the bag for future reference.

    I just wish people will document anything around here. I can't even get them to use a helpdesk system, which they purchased. Not even the IT department. Therefore, this is clearly more of a management issue than it is an IT issue that I cannot get around. Sorry. Rant over.



  • Right now, risk managament is mostly utilized in enterprise space, because enterprise sees value in things that SMB usually don't. Not to mention that in SMB, executives are rarely trained in IT. Generally in SMB even the CIO doesn't have the high level training to understand the process.



  • @scottalanmiller said in What do you use for Risk Management?:

    Not a bad idea, will have to check out some software for it.

    simplerisk.com



  • @IRJ said in What do you use for Risk Management?:

    @scottalanmiller said in What do you use for Risk Management?:

    Not a bad idea, will have to check out some software for it.

    simplerisk.com

    We actually helped with the CentOS documentation. As one of our corporate requirements is to use CentOS or RHEL for all linux installations. Previously, SimpleRisk was only supported on Ubuntu.


  • Service Provider

    @IRJ wow those add ons are not cheap. just reading names they each do not seem like they are worth that cost.

    Their basic hosted cost would be more cost effective for many years.



  • @JaredBusch said in What do you use for Risk Management?:

    @IRJ wow those add ons are not cheap. just reading names they each do not seem like they are worth that cost.

    Their basic hosted cost would be more cost effective for many years.

    Holy cow, is that annually or one-time cost?



  • @NerdyDad said in What do you use for Risk Management?:

    @JaredBusch said in What do you use for Risk Management?:

    @IRJ wow those add ons are not cheap. just reading names they each do not seem like they are worth that cost.

    Their basic hosted cost would be more cost effective for many years.

    Holy cow, is that annually or one-time cost?

    Annually.



  • Is it just me, or are they charging for encryption functionality, which can be setup on your installation when you INSTALL . . . $2k Annually for that is a complete ripoff.

    SimpleRisk Encrypted Database Extra	
    
    Sensitive text is encrypted with a long, random, password prior to being inserted into the SimpleRisk database preventing anyone from being able to view or modify the data without using the SimpleRisk application directly.


  • @JaredBusch said in What do you use for Risk Management?:

    @IRJ wow those add ons are not cheap. just reading names they each do not seem like they are worth that cost.

    Their basic hosted cost would be more cost effective for many years.

    Unfortunately, some of them are necessary for us. Like LDAP integration, email notifications, and team based separation. These are required for me to create proper workflows in an enterprise size environment. There are potentially hundreds of users I need to involve for different pieces of this system.


  • Service Provider

    @DustinB3403 said in What do you use for Risk Management?:

    Is it just me, or are they charging for encryption functionality, which can be setup on your installation when you INSTALL . . . $2k Annually for that is a complete ripoff.

    SimpleRisk Encrypted Database Extra	
    
    Sensitive text is encrypted with a long, random, password prior to being inserted into the SimpleRisk database preventing anyone from being able to view or modify the data without using the SimpleRisk application directly.
    

    No, you have no idea what you are talking about. This is not disk enryption. This is encryption of the data in the database itself.



  • @JaredBusch said in What do you use for Risk Management?:

    @IRJ wow those add ons are not cheap. just reading names they each do not seem like they are worth that cost.

    Their basic hosted cost would be more cost effective for many years.

    I agree that the hosted version is much better pricewise and of course that is what is pushed by SimpleRisk. However, it's kind of scary having all your vulnerabilities on your network managed off site by a small company.


  • Service Provider

    @IRJ said in What do you use for Risk Management?:

    @JaredBusch said in What do you use for Risk Management?:

    @IRJ wow those add ons are not cheap. just reading names they each do not seem like they are worth that cost.

    Their basic hosted cost would be more cost effective for many years.

    I agree that the hosted version is much better pricewise and of course that is what is pushed by SimpleRisk. However, it's kind of scary having all your vulnerabilities on your network managed off site by a small company.

    I totally get that too. I have done software development. I get that it is not cheap. But those prices are just out of line.



  • @JaredBusch said in What do you use for Risk Management?:

    @DustinB3403 said in What do you use for Risk Management?:

    Is it just me, or are they charging for encryption functionality, which can be setup on your installation when you INSTALL . . . $2k Annually for that is a complete ripoff.

    SimpleRisk Encrypted Database Extra	
    
    Sensitive text is encrypted with a long, random, password prior to being inserted into the SimpleRisk database preventing anyone from being able to view or modify the data without using the SimpleRisk application directly.
    

    No, you have no idea what you are talking about. This is not disk enryption. This is encryption of the data in the database itself.

    But why not encrypt the entire system, why encrypt the individual records of the database?



  • @JaredBusch said in What do you use for Risk Management?:

    @IRJ said in What do you use for Risk Management?:

    @JaredBusch said in What do you use for Risk Management?:

    @IRJ wow those add ons are not cheap. just reading names they each do not seem like they are worth that cost.

    Their basic hosted cost would be more cost effective for many years.

    I agree that the hosted version is much better pricewise and of course that is what is pushed by SimpleRisk. However, it's kind of scary having all your vulnerabilities on your network managed off site by a small company.

    I totally get that too. I have done software development. I get that it is not cheap. But those prices are just out of line.

    Agreed. When we talked to the owner back in December about this we made a big stink about the price. Especially when much more robust Risk Management solutions are cheaper than SimpleRisk.

    These other enterprise solutions are very complicated to implement. It would take a team of people to implement because the system is so complicated because it is actually setup to do calculations. SimpleRisk is simply a place to document risks. There is no need to tie them to values, assets, do calculations like ALE style calculations, etc.

    Also when you consider you have at least a hundred users extensively using a system, Is $6k really that much? If you use support once or twice you could easily recoup your $6k back in saved time.


  • Service Provider

    @DustinB3403 said in What do you use for Risk Management?:

    @JaredBusch said in What do you use for Risk Management?:

    @DustinB3403 said in What do you use for Risk Management?:

    Is it just me, or are they charging for encryption functionality, which can be setup on your installation when you INSTALL . . . $2k Annually for that is a complete ripoff.

    SimpleRisk Encrypted Database Extra	
    
    Sensitive text is encrypted with a long, random, password prior to being inserted into the SimpleRisk database preventing anyone from being able to view or modify the data without using the SimpleRisk application directly.
    

    No, you have no idea what you are talking about. This is not disk enryption. This is encryption of the data in the database itself.

    But why not encrypt the entire system, why encrypt the individual records of the database?

    Who said the base system is not encrypted? That still does not provide protection to the data in the database when the system is running.

    Encrypted disks are not encrypted when the system is booted and logged in.



  • @JaredBusch said in What do you use for Risk Management?:

    @DustinB3403 said in What do you use for Risk Management?:

    @JaredBusch said in What do you use for Risk Management?:

    @DustinB3403 said in What do you use for Risk Management?:

    Is it just me, or are they charging for encryption functionality, which can be setup on your installation when you INSTALL . . . $2k Annually for that is a complete ripoff.

    SimpleRisk Encrypted Database Extra	
    
    Sensitive text is encrypted with a long, random, password prior to being inserted into the SimpleRisk database preventing anyone from being able to view or modify the data without using the SimpleRisk application directly.
    

    No, you have no idea what you are talking about. This is not disk enryption. This is encryption of the data in the database itself.

    But why not encrypt the entire system, why encrypt the individual records of the database?

    Who said the base system is not encrypted? That still does not provide protection to the data in the database when the system is running.

    Encrypted disks are not encrypted when the system is booted and logged in.

    True, so this is encryption while in use? Or are you making the assumption it is?



  • "What do you use for Risk Management?"

    Scotch


  • Service Provider

    @IRJ said in What do you use for Risk Management?:

    @JaredBusch said in What do you use for Risk Management?:

    @IRJ said in What do you use for Risk Management?:

    @JaredBusch said in What do you use for Risk Management?:

    @IRJ wow those add ons are not cheap. just reading names they each do not seem like they are worth that cost.

    Their basic hosted cost would be more cost effective for many years.

    I agree that the hosted version is much better pricewise and of course that is what is pushed by SimpleRisk. However, it's kind of scary having all your vulnerabilities on your network managed off site by a small company.

    I totally get that too. I have done software development. I get that it is not cheap. But those prices are just out of line.

    Agreed. When we talked to the owner back in December about this we made a big stink about the price. Especially when much more robust Risk Management solutions are cheaper than SimpleRisk.

    These other enterprise solutions are very complicated to implement. It would take a team of people to implement because the system is so complicated because it is actually setup to do calculations. SimpleRisk is simply a place to document risks. There is no need to tie them to values, assets, do calculations like ALE style calculations, etc.

    Also when you consider you have at least a hundred users extensively using a system, Is $6k really that much? If you use support once or twice you could easily recoup your $6k back in saved time.

    Oh I get how it can help. I just think these are a bit steep comparing one method to the other within their own product pricing. I cannot compare to any other products because I do not know any other products.


  • Service Provider

    @DustinB3403 said in What do you use for Risk Management?:

    @JaredBusch said in What do you use for Risk Management?:

    @DustinB3403 said in What do you use for Risk Management?:

    @JaredBusch said in What do you use for Risk Management?:

    @DustinB3403 said in What do you use for Risk Management?:

    Is it just me, or are they charging for encryption functionality, which can be setup on your installation when you INSTALL . . . $2k Annually for that is a complete ripoff.

    SimpleRisk Encrypted Database Extra	
    
    Sensitive text is encrypted with a long, random, password prior to being inserted into the SimpleRisk database preventing anyone from being able to view or modify the data without using the SimpleRisk application directly.
    

    No, you have no idea what you are talking about. This is not disk enryption. This is encryption of the data in the database itself.

    But why not encrypt the entire system, why encrypt the individual records of the database?

    Who said the base system is not encrypted? That still does not provide protection to the data in the database when the system is running.

    Encrypted disks are not encrypted when the system is booted and logged in.

    True, so this is encryption while in use? Or are you making the assumption it is?

    Did you even read what you quoted?
    Do you understand what a database is?
    I am not making an assumption. This is very clear.



  • We use the one built into Nessus.



Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.