Risk assessment tool is free to feds

Government IT administrators can get a year's almost-free use of the Cost of Risk Assessment tool from International Security Technology Inc.

CORA, which prioritizes risk management and security spending, fits the national strategy of managing IT security better, said Robert V. Jacobson, chief executive officer of the New York company.

'Uncle Sam isn't doing a good job of allocating the resources,' Jacobson said. 'It can't be guesswork.'

CORA has been used by a number of agencies since its 1978 introduction as the Risk Analysis and Management Program for mainframes, Jacobson said. But the company does not have a large federal presence.

'It seemed like a good thing for an American citizen to do,' Jacobson said of the offer to government IT managers. Plus, he said, it's good marketing.

A free one-year CORA license is open to federal, state and local agencies, but they must pay $5,850 for setup and on-site training for up to five people. CORA's list price is $32,500. It runs under Microsoft Windows 9x and later operating systems.

Finding the best price

The administrator has to enter detailed data about enterprise systems, agency operations and pertinent threats. The tool then builds a risk model and evaluates the costs of mitigation and recovery to determine the most cost-effective measures.

It does not, however, eliminate the effort of developing security and recovery plans. Evaluating a single issue, such as the proper power backup at a single site, could take several days. A more comprehensive systemwide evaluation could take years of work.

'There is no way to automate this, because when you start you don't know what matters,' Jacobson said.

CORA's fans include consultant F. Lynn McNulty, former associate director for computer security at the National Institute of Standards and Technology.

'I believe quantitative risk analysis is a component of any security program,' McNulty said. 'Security control and countermeasures cost real money. Unless you know what return you are getting on your investment, you're not likely to spend that money most effectively.'

McNulty began using the technology when it was called RAMP. 'The first time I used it was at the Federal Aviation Administration,' he said, as computer security director from 1973 to 1980.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above