This article can also be found in the Premium Editorial Download "Information Security magazine: Five crucial virtualization do's and don'ts."
Download it now to read this article plus other related content.
Its real power lies in its ability to categorize every asset in the organization--processes, applications, technical components and facilities--associate a risk level to each, and keep track of the controls that are implemented on an asset-by-asset basis. The tool also facilitates keeping track of personnel associated with the assets and threats to it.
Risk information is collected using one or more questionnaires applicable to different assets, based on their categorization. For example, data centers can be assigned one or more data center-specific questionnaires to appropriate personnel. Risk Manager gathers information about all the assets in a particular scope and quantifies the associated risk, keeping track of controls' status on an asset-by-asset basis.
This was first published in June 2008