Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits

Controls - Scope

In order to measure the effect from a Control failure, you need to correlate the Scope of the Control (does the Control mitigate the Risk from the loss of Confidentiality, Integrity or Availability) with the Impact of the process (how important is a loss of Confidentiality, Integrity or Availability to the process). If a Control addresses a loss of Availability, but under Impact Availability is rated as a low risk element, the overall risk from the failure of the Control is likely Low. Conversely, if the Impact assessment rated Availability as a high risk area, then the failure of the Availability Control would have a significant effect on the organization. As a result, the Simple Risk Model factors in the correlation between the Scope of the Control and the Scope of the Impact.