CYRVM - CYber Risk and Vulnerability Management

What is the Risk?

Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. In order to minimize the impact on the organization, a Risk Assessment is made to maximize the security on all your assets.

The Risk Assessment

Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC (Systems Development Life Cycle).

OpenVAS and OWASP ZAP support

Import an entire network scan OpenVAS or OWASP ZAP report to retrieve all the informations about your previously defined network and continue the Risk Assessment process. You can even import a single resource scan report while defining an asset, adding even more informations to your Risk Assessment.

Scope of this tool

CYRUM helps companies with Cyber Risk and Vulnerability Assessment.

This software is designed to help companies to to follow NIST 800-30 framework. The help is provided through: 1) a 9 steps guidance for risk assessment; 2) a privacy-preserving collaboration method; 3) assisted risk insertion by supporting security scanner report (OpenVAS and OWASP ZAP)

Can i build my own?

Yes, this website is an acronym for Cyber Risk and Vulnerability Assessment.

It's based on the NIST 800-30 framework and it's built to guide you through all the processes of the assessment. At the end, you will create a Risk Assessment Report which can be given to your CISO (Chief Information Security Officer).

Why should i do the Risk Assessment?

In the Risk Assessment you define all the characteristics, the threats and vulnerabilities which affects your organization.

The Risk Management process it's a necessary step to improve the efficiency and the security of an organization.
It allows the Chief Information Security Officer to understand what are the weak parts of the organization, which ones have the highest priority and fix them with the highest Cost/Benefit Ratio.

Risk Assessment made easier

This website is based on the NIST 800-30 framework

The NIST 800-30 Framework is a document which explains the Risk Assessment phase in 9 steps.
Building the Risk Assessment it's no easy task, but with this website you will be guided through all the 9 steps. At last, you can generate your own Risk assessment report to be used by your CISO

Learn which are the NIST 800-30 Framework Risk Assessment 9 steps before proceding.

Get Started or Proceed Now

Step 1

System Characterization

You define all the assets, the resources and the information that constitute your system. (e.g., hardware, software, system connectivity, and responsible division or support personnel)

Step 2

Threat identification

You identify the potential threat-sources and compile a threat statement listing potential threat-sources that are applicable to the IT system being evaluated. (e.g. Computer criminal that should hack your system)

Step 3

Vulnerability identification

You define a list of the system vulnerabilities (observations) that could be exercised by the potential threat-sources. (e.g. your router firmware has a bug which allows unauthorized users to gain root access)

Step 4

Control Analysis

In this step you analyze the controls that have been implemented, or are planned for implementation, by the organization to minimize or eliminate the likelihood (or probability) of a threat’s exercising a system vulnerability. (e.g. currently installed firewall prevents unauthorized access from outside the organization)

Step 5

Likelihood Determination

The objective of this step is derive, with the previous considerations, a likelihood rating score for each vulnerability (e.g. after all the considerations and researches, you estimated that a hard drive can fault one time every two years, so you give it a score of 0.5 out of 1.0)

Step 6

Impact Analysis

The objective is determine the adverse impact resulting from a successful threat exercise of a vulnerability (e.g. after all the considerations and researches, you estimate that a hard disk fault means losing some of your datas, so you give it a score of 8 out of 10)

Step 7

Risk Determination

The purpose of this step is to assess the level of risk to the IT system using the Likelihood scores and Impact scores you provided before.

Step 8

Control Recommendation

During this step of the process, controls that could mitigate or eliminate the identified risks, as appropriate to the organization’s operations, are provided. The goal of the recommended controls is to reduce the level of risk to the IT system and its data to an acceptable level. (e.g. you might want to buy a backup disk or make a RAID redundancy control, so you suggest it in your report via a recommended control)

Step 9

Results Documentation

The final report summarize all the threats, vulnerabilities, controls and risk scores previously defined. The report should be given to your CISO.

Proceed Now

OpenVAS/OWASP ZAP REPORT IMPORT

Import

Discover how to create your own Cyber Risk and Vulnerability Assessment Project.

Based on NIST 800-30 Framework