Risk-based auditing to achieve enterprise security

April 29, 2010 by · Leave a Comment 

Here’s a new piece I wrote for on using a risk-based auditing methodology to achieve enterprise security.

Some topics covered include:

  • Why use a risk-based audit
  • How to perform a risk assessment
  • Tips on categorizing assets
  • Classifying assets by criticality and confidentiality levels
  • Calculating risk and risk ranking
  • Developing an audit plan
  • A six-step audit methodology
  • A risk-based audit use case

Give it a read and let me know if you have any questions.

The Risk Mitigation Report

November 1, 2008 by · Leave a Comment 

Mitigating Risk


There are many benefits to performing a risk assessment, but one of the most influential elements is the risk mitigation report. This report serves as the document that lists identified risks, with specific countermeasures for mitigation.¬† The risk mitigation report can also serve as an accountability mechanism for personnel, as it specifically identifies who’s responsible for implementing each mitigation task.

Since it identifies all risks faced by an organization, it’s a key element¬†for strengthening your security posture. The risk mitigation report sets the security process in motion before deploying countermeasures. Moreover, it’s an effective tool for communicating the true harm an organization faces. Thus, it can be used to help management understand and appreciate the need for security.

In addition to providing a thorough risk mitigation report, a quarterly incident/threat report can aid in supporting the business case for security funding. Such a report will provide management with updates on major security incidents, with actions taken to thwart successful or unsuccessful attacks. If no real threats hindered the organization for that quarter, I’d provide examples of threats faced by similar organizations just to show management that security is necessary and your recommendations are warranted.


Warning: Unknown: open(/home/content/30/5076530/tmp/sess_rj6jhirvh4mktqdn273nnk54r6, O_RDWR) failed: No such file or directory (2) in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0