• IS security
  • Personal Data Protection Security Project
  • Security Project for Technical Device Designed for Work with Classified Information
  • Risk Analysis and CRAMM Risk Analysis
  • Personal Security
  • Business Continuity Management - BCM
  • Business Impact Analysis - BIA
  • Network Security
  • Protection Against Malicious Code
  • Security Incident Monitoring and Management
  • Access Control
  • Security Policy Enforcement
  • Security Control Documents
• Technical and object security
• IT solutions
• SW solutions

Risk Analysis and CRAMM Risk Analysis

Risk analysis and CRAMM risk analysis is a process essential for right design and implementation of security measures. It allows identification of security risks, which depend on the assets (components) of the system under evaluation, on the vulnerability of such assets, on the effect of environment (threat intensity) and on potential negative effect on the system operation (impacts).
Our risk analysis methodology covers all spheres of security (information system security, building security, physical and personal security, and supporting infrastructure security). We use both automated systems and non-automated procedures for risk analysis.
For a long time now we have been applying effective and low time-consumption risk analysis methodology in various environments using a non-automated procedure, with fast and conclusive outputs suitable for management. The main objective of this methodology is identification of main threats, vulnerabilities and impacts on strategic axes (functions) of an organization.

We have many years of experience working with various automated risk analysis systems.
These systems will help you gain a realistic idea of security risks, security measures proposed and their effect on system security before you even make the investment into security technologies. The CRAMM tool is one of such systems.
The risk analysis according to the CRAMM methodology does not analyze security of individual information system assets but associates them into logical units – asset models, which then enter the risk analysis proper.
The risk analysis carried out using the CRAMM tool comprises three stages, each supported by questionnaires and guidelines.

Stage 1 – Asset Identification, Model Development, Asset Evaluation
Identification of assets – data, services over data, software, physical assets and premises
Development of asset models defining dependence between various asset types
Evaluation of data assets (impact of disclosure, modification, destruction, and unavailability)
Evaluation of physical and software assets (cost of their recovery, reconstruction).

Stage 2 – Risk Specification
Calculation of risks resulting from threats affecting the system or network, and based on the asset evaluation and evaluation of threat levels and vulnerability.

Stage 3 – Risk Management
Risk management includes identification, selection and implementation of appropriate security measures to reduce risk to an acceptable level.
The CRAMM tool selects measures from its library of measures that together cover all possible threats identified in the second stage, taking account of the calculated risk exposure. Thus an IS security profile comes into existence.