By Hank Marquis

The IT Infrastructure Library (ITIL^®) promotes the CCTA Risk Analysis and Management Method (CRAMM) for risk assessment.  Everyone agrees managing risk is critical, yet few actually use CRAMM or any other formal system!

Part of the reason for this is that CRAMM is a sophisticated software tool that requires a trained practitioner to operate.  However, if you examine CRAMM, you soon realize you can obtain many of the benefits without investing in consultants or expensive software solutions.

CRAMM is simply a process template for analyzing risks (threats an asset faces due to vulnerabilities) and then managing those risks through countermeasures.  While CRAMM software includes over 3,000 countermeasures in its database -- something you don’t get doing CRAMM yourself -- you can still achieve sound risk assessments.

Following I will explain CRAMM goals, methods, techniques and applications; then I will show how to gain many CRAMM benefits in a matter of minutes -- for very low cost.

CRAMM provides a framework to calculate risk from asset values and vulnerabilities, referred to as Risk Analysis.  The framework also helps you avoid, reduce, or choose to accept these risks, referred to as Risk Management. 

The idea is that by analyzing assets one can realize the potential damage caused by a failure in Confidentiality (unauthorized disclosure), Integrity (unauthorized modification or misuse) or Availability (destruction or loss).  CRAMM supposes that it is cost prohibitive to eliminate risk; but that you can cost effectively mitigate risk by structured analysis of assets.

CRAMM follows a rigid format.  CRAMM:

• Uses meetings, interviews, and questionnaires for data collection.

•  Identifies and categorizes IT assets into one of three categories: 1) data, 2) application/software 3) physical assets (equipment, buildings, staff, etc.)

• Requires you to consider the Impact of the loss of Confidentiality, Integrity and Availability (CIA) of the asset.

• Expresses Vulnerability (the likelihood that a threat may occur) as: very high, high, medium, low or very low.

• Expresses Risk (the likelihood that a threat could exploit the Vulnerability) as: high, medium or low.

CRAMM has three stages:

1. Asset identification and valuation.  The goal here is to identify and value assets.
2. Threat and vulnerability assessment.  The goal here is to assess the CIA risks to assets. 
3. Countermeasure selection and recommendation.  The goal here is to identify the changes required to manage the CIA risks identified.

Risk Assessment comprises stage 1, and about half of stage 2; Risk Management the balance of stage 2 and stage 3.  At each stage there is discussion and agreement with appropriate level management.  This is where awareness builds in management of the issues.  One of the most difficult aspects of risk management is justifying the costs involved, which may be very high.  Traditional cost vs. benefit analysis does not work well for security, and CRAMM provides a clearer method for showing the potential cost to an organization.  CRAMM also involves the entire organization (management, IT staff and Customers) in the process, creating buy-in and acceptance of the result of your assessment.

The Manual CRAMM

Without the CRAMM software, you can approximate a CRAMM session using some paper, pencils, office tools like spreadsheets and word processors, the knowledge of your staff, the security Incidents that have occurred, and of course, news about the latest hacker exploits. 

The following assessment process is based on CRAMM tenets, but does not provide the same level of detail, control, or options as the CRAMM software.  On the other hand, you wont spend thousands of dollars and you will still find it capable and valuable!  Figure 1 shows the results of a completed “Manual CRAMM” assessment.

Figure 1.  Example Manual “CRAMM” Grid

Following is a 10-step plan that involves IT staff and the Business, enhances the IT infrastructure (products) and organization (people, process) security, and provides sound financial justification to the business for the expenditures required. 

1. Gain (or grant) authority for the security review to proceed.
    
2. Define the scope of the review (IT service, location, application, etc.,) assign a team, and identify sources of information.  Draft, review, and agree a project control document.  You are now ready to start collecting data!
    
3. Begin stage 1 -- identify assets within the scope of the review (data, application/software and physical assets.)  A Configuration Management Database (CMDB) is valuable here, if you do not have a CMDB then ask around about important data, software or physical assets.  You can leverage previous Business Impact Analysis (BIA) work that you have done here as well.  [See ‘How to Win with BIA’ DITY Vol. 2 #2 for more on BIA] 
    
4. Prepare a grid or table.  A spreadsheet works well for this.  (See figure 1.)  For each asset, list the asset and the asset “owner” -- the owner is the person who knows best, the usage and value of this asset.  This process also raises the level of acceptance of your review findings and proposals. 
    
5. Interview the asset owner; have the asset owner value data and software assets by the impact/cost resulting from loss of Confidentiality, Integrity, or Availability; and physical assets by replacement cost.  Have data owners consider the impact of the following attributes of their asset:
   1. Confidentiality -- impact of or sensitivity to disclosure of the asset to non-authorized parties, e.g., “employees,” “contractors,” etc.  Use confidentiality requirement categories of public (0), restricted (1-5), confidential (6-9), and secure (10).
   2. Integrity -- impact of unknown or unauthorized modification e.g. “data input errors,” etc.  Use integrity requirement categories of low (1-3), moderate (4-7), high (8-9), and very high (10).
   3. Availability -- impact of the asset being unavailable for various time frames, e.g., “less than 15 minutes”, “1 hour”, “1 day”, etc.  Use availability requirement categories of low (1-3), moderate [OK to recover in days] (4-6), high [hours] (7-8), very high [minutes] (9), and mandatory [cannot be down] (10).

For a, and c above, have the data owner first choose a category for each, then a value within the category.  For example, for Integrity, have them choose first from low, moderate, high and very high.  Then, if they chose moderate in this case, ask them to rank the impact on a scale of 4 to 7. 

If there are existing measures already in place to control risks identify them during this stage.  Update the grid and move to stage 2. 
 

6. Begin stage 2 -- review and agree deliverables from Stage 1.  Determine how likely each risk in stage 1 is by asking questions of support personnel, experts and other personnel using prepared questionnaires to try and asses the likelihood that the identified risks could actually occur.  Consider Hackers (inside and outside the company), Viruses, Failures (hardware and software), Disasters (terrorism and natural), and People, process or procedure errors.  Create a column for each threat.  Use a categories of none (0), low (1-4), moderate (5-7), high (8-9), and very high (10).  Update the spreadsheet for each asset.
    
7. Calculate the Risk entry by multiplying the Impact by the Vulnerability.  Based on the risk score (impact X vulnerability) assign a label of low (1-33), medium (34-67), or high (68-100).  Update the spreadsheet for each asset.  You now have an agreed list of the most vulnerable areas!  Since this list is developed with and agreed by the Business, you also have a powerful ally for justifying the need to proceed.
    
8. Begin stage 3 -- review and agree deliverables from Stage 2.  Begin to identify and select countermeasures for those assets with the highest risk level.  CRAMM contains a very large countermeasure library consisting of over 3000 detailed countermeasures organized into over 70 logical groupings.  Of course, without the CRAMM software, you do not have this, but you can still come up with many possible countermeasures through brainstorming and researching the risks identified.  [See ‘Availability Management on a Budget’ DITY Vol. 1 #2 for more on using tools like CFIA, FTA, SOA and others to develop solutions.] 
    
9. Consider countermeasures and ways to mitigate the threats.  Focus on the higher-level threats first, but don't overlook quick, easy or cheap fixes to lower level threats.  In Figure 1, notice that we also chose to implement some countermeasures for low level as well as high level threats.  Give precedence to those countermeasures that:
   1. protect against several threats
   2. protect high risk assets
   3. apply where there are no countermeasures already in use
   4. are less expensive to implement
   5. are more effective at preventing or mitigating threats
   6. prevent threats rather than detecting or facilitating recovery
   7. can be implemented quickly, easily and inexpensively (even for low risk)
       
10. Raise an RFC for the highest-level threats; use your assessments as justification for the Change.  Produce a schedule and plan for implementation of agreed countermeasure recommendations. 

The concepts of CRAMM applied via formal methods like these ensure consistent identification of risks and countermeasures, and provides cost justification for the countermeasures proposed.  Even without expensive CRAMM software, you can gain powerful benefits like driving Business/IT Alignment, bringing security risks to the forefront, and assisting in the cost justification of countermeasures.

--

Entire Contents © 2006 itSM Solutions LLC.  All Rights Reserved.