CRAMM (CCTA Risk Analysis and Management Method) is a risk management methodology, currently on its fifth version, CRAMM Version 5.0.
CRAMM was created in 1987 by the Central Computer and Telecommunications Agency (CCTA), now renamed into Cabinet Office, of the United Kingdom government.
The Central Computer and Telecommunications Agency (CCTA) was a UK government agency providing computer and telecoms support to government departments.
The Cabinet Office is a department of the Government of the United Kingdom responsible for supporting the Prime Minister and Cabinet of the United Kingdom. It is composed of various units that support Cabinet committees and which co-ordinate the delivery of government objectives via other departments. It currently has just over 2,000 staff, most of whom work in Whitehall. Staff working in the Prime Minister's Office are part of the Cabinet Office.
CRAMM comprises three stages, each supported by objective questionnaires and guidelines. The first two stages identify and analyze the risks to the system. The third stage recommends how these risks should be managed.
The three stages of CRAMM are as follows:
The establishment of the objectives for security by:
The assessment of the risks to the proposed system and the requirements for security by:
Identification and selection of countermeasures that are commensurate with the measures of risks calculated in Stage 2.
CRAMM contains a very large countermeasure library consisting of over 3,000 detailed countermeasures organised into over seventy logical groupings.
CRAMM is in use by NATO, the Dutch armed forces, and corporations working actively on security, like Unisys.
The North Atlantic Treaty Organization, also called the North Atlantic Alliance, is an intergovernmental military alliance between 29 North American and European countries. The organization implements the North Atlantic Treaty that was signed on 4 April 1949. NATO constitutes a system of collective defence whereby its independent member states agree to mutual defence in response to an attack by any external party. NATO’s Headquarters are located in Haren, Brussels, Belgium, while the headquarters of Allied Command Operations is near Mons, Belgium.
Unisys Corporation is an American global information technology company based in Blue Bell, Pennsylvania, that provides a portfolio of IT services, software, and technology. It is the legacy proprietor of the Burroughs and UNIVAC line of computers, formed when the former bought the latter.
CRAMM is offered in English and Dutch versions.
Information security, sometimes shortened to InfoSec, is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. The information or data may take any form, e.g. electronic or physical. Information security's primary focus is the balanced protection of the confidentiality, integrity and availability of data while maintaining a focus on efficient policy implementation, all without hampering organization productivity. This is largely achieved through a multi-step risk management process that identifies assets, threat sources, vulnerabilities, potential impacts, and possible controls, followed by assessment of the effectiveness of the risk management plan.
Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.
Security management is the identification of an organization's assets, followed by the development, documentation, and implementation of policies and procedures for protecting these assets.
Broadly speaking, a risk assessment is the combined effort of 1. identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment ; and 2. making judgments "on the tolerability of the risk on the basis of a risk analysis" while considering influencing factors. Put in simpler terms, a risk assessment analyzes what can go wrong, how likely it is to happen, what the potential consequences are, and how tolerable the identified risk is. As part of this process, the resulting determination of risk may be expressed in a quantitative or qualitative fashion. The risk assessment is an inherent part of an overall risk management strategy, which attempts to, after a risk assessment, "introduce control measures to eliminate or reduce" any potential risk-related consequences.
A vulnerability assessment is the process of identifying, quantifying, and prioritizing the vulnerabilities in a system. Examples of systems for which vulnerability assessments are performed include, but are not limited to, information technology systems, energy supply systems, water supply systems, transportation systems, and communication systems. Such assessments may be conducted on behalf of a range of different organizations, from small businesses up to large regional infrastructures. Vulnerability from the perspective of disaster management means assessing the threats from potential hazards to the population and to infrastructure. It may be conducted in the political, social, economic or environmental fields.
In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to perform unauthorized actions within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface.
The Federal Information Security Modernization Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
Feasibility Study is an assessment of the practicality of a proposed project or system.
Critical infrastructure protection (CIP) is a concept that relates to the preparedness and response to serious incidents that involve the critical infrastructure of a region or nation.
Threat modeling is a process by which potential threats, such as structural vulnerabilities can be identified, enumerated, and prioritized – all from a hypothetical attacker’s point of view. The purpose of threat modeling is to provide defenders with a systematic analysis of the probable attacker’s profile, the most likely attack vectors, and the assets most desired by an attacker. Threat modeling answers questions like “Where are the high-value assets?”, “Where am I most vulnerable to attack?”, “What are the most relevant threats?”, and “Is there an attack vector that might go unnoticed?”.
Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. It uses physical, technical, and administrative controls to accomplish these tasks. While focused predominantly on information in digital form, the full range of IA encompasses not only digital, but also analog or physical form. These protections apply to data in transit, both physical and electronic forms, as well as data at rest in various types of physical and electronic storage facilities. Information assurance as a field has grown from the practice of information security.
Information Technology Security Assessment is an explicit study to locate IT security vulnerabilities and risks.
Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. By extension, ISM includes information risk management, a process which involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This of course requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.
MEHARI is a free, open-source information risk analysis assessment and risk management method, for the use of information security professionals.
Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.
In computer security, a threat is a possible danger that might exploit a vulnerability to breach security and therefore cause possible harm.
In information security, computer security and network security, an asset is any data, device, or other component of the environment that supports information-related activities. Assets generally include hardware, software and confidential information. Assets should be protected from illicit access, use, disclosure, alteration, destruction, and/or theft, resulting in loss to the organization.
IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:
ISO/IEC 27001 is an information security standard, part of the ISO/IEC 27000 family of standards, of which the last version was published in 2013, with a few minor updates since then. It is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.
A cyber PHA is a detailed cybersecurity risk assessment methodology that conforms to ISA 62443-3-2. The name, cyber PHA, was given to this method because it is similar to the Process Hazards Analysis (PHA) or the hazard and operability study (HAZOP) methodology that is popular in process safety management, particularly in industries that operate highly hazardous industrial processes.