The most common risk assessment processes are specialized automated risk assessment tools, whether commercial or free, that can effectively analyze risks through input data, and ultimately provide a risk assessment and recommend appropriate security measures. The current common automated risk assessment tools include:
* COBRA--COBRA (consultative, objective and Bi-functional Risk analysis) is a set of risk analyzer software launched by the UK's c&a system security Company, It collects and analyzes data through questionnaires and analyzes the risk of the organization qualitatively, and the final evaluation report contains the level of identified risks and recommended measures. In addition, COBRA also supports the knowledge-based assessment method, which can compare the security status of the organization with the ISO 17799 standard, and find out the gaps and propose the remedy measures. C&a Company offers Cobra beta download: http://www.security-risk-analysis.com/cobdown.htm.
* CRAMM--CRAMM (CCTA Risk Analysis and Management) is the central Computer and Telecommunications Bureau of the United Kingdom Government Computer and telecommunications agency,c CTA) developed a quantitative risk analysis tool in 1985, while supporting qualitative analysis. After multiple versions (now the fourth edition), the Insight consulting company is responsible for management and authorization. Cramm is a structured approach to assessing the risk of information systems and identifying appropriate responses that can be used for various types of information systems and networks, or at all stages of the information system lifecycle. The Cramm security model database is based on the well-known "asset/threat/vulnerability" model, which is evaluated through the three stages of asset identification and evaluation, threat and vulnerability assessment, and selection of appropriate recommended countermeasures. Cramm is consistent with the BS 7799 Standard, which provides up to 3,000 optional security controls. In addition to risk assessment, CRAMM can provide support for business continuity management that conforms to the 99vIL (99v Infrastructure Library) guide.
* Asset--asset (automated security self-evaluation Tool) is issued by the National Institute of Standards and Technology (state Institute of Standard and Technology,nist) An automated tool for conducting security risk self-assessment, using a typical knowledge-based analysis approach, using questionnaires to assess the gap between the security status of the system and the NIST SP 800-26 Guide. NIST Special Publication 800-26, the Information Technology Systems Safety Self-Assessment Guide (security self-assessment Guide for information Technology), A number of control objectives and recommended techniques are provided for the organization to conduct 99v system risk assessment. ASSET is a free tool that can be downloaded from the NIST website: http://icat.nist.gov.
* Cora--cora (Cost-of-risk analysis) is an international Security Technology Corporation (International), Inc. www.ist-usa.com) developed a risk management decision support system, which uses the typical quantitative analysis method, can collect, organize, analyze and store the risk data conveniently, and provide the accurate basis for the organization's risk management decision support.
* Microsoft's risk Assessment tool: Microsoft Security accessment Tool (MSAT) The Microsoft Security Assessment Tool (MSAT) is a Microsoft risk assessment tool that differs from the MBSA direct scan and evaluation system, MSAT through detailed questionnaires and related information, MSAT process questionnaire feedback, and evaluates the organization's security practices in areas such as infrastructure, applications, operations, and people. Then put forward the corresponding security risk management measures and opinions. If MBSA is a scanner, then MSAT is a risk assessment tool. Microsoft's Msat is a free tool that can be downloaded from the Microsoft website but needs to be registered. Download Address: http://www.microsoft.com/china/security/msat/default.asp
* Microsoft Baseline Security Analyzer (MBSA)--as part of the Microsoft Strategic Technology Protection Program (Strategic Technology Protection), Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA) in order to directly meet the user's need for a simple and easy way to identify common security-related configuration errors. MBSA Version 1.2 includes graphics and command-line interfaces that perform scans of local or remote Windows systems. MBSA runs on Windows 2000 and Windows XP systems and can scan the following products to discover common system configuration errors: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, I Nternet Information Server (IIS), SQL Server, Internet Explorer, and Office. MBSA 1.2 can also scan the following products to find out which security updates are missing: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, IIS, SQL Server, IE, Exchange Server, Windows Media Player, Microsoft Data Access components (MDAC), MSXML, Microsoft Virtual Machine, Commerce server, Content Management Server, BizTalk server, Host Integration Server, and Office. Microsoft's Msat is a free tool, download address: http://www.microsoft.com/china/technet/security/tools/mbsahome.mspx