How CRAMM works
CRAMM provides a staged and disciplined approach embracing both technical (eg. IT hardware and software) and non-technical (e.g. physical and human) aspects of security.
In order to assess these components, CRAMM is divided into three stages:
- Asset identification and valuation
- Threat and vulnerability assessment
- Countermeasure selection and recommendation
Asset identification and valuation
CRAMM enables the reviewer to identify the physical (eg. IT hardware), software (eg. application packages), data (eg. the information held on the IT system) and location assets that make up the information system. Each of these assets can be valued.
Physical assets are valued in terms of the replacement cost. Data and software assets are valued in terms of the impact that would result if the information were to be unavailable, destroyed, disclosed or modified.
Threat and vulnerability assessment
Having understood the extent of potential problems, the next stage is to identify just how likely such problems are to occur. CRAMM covers the full range of deliberate and accidental threats that may affect information systems including:
- Failures of equipment or software
- Wilful damage or terrorism
- Errors by people
This stage concludes by calculating the level of the underlying or actual risk.
Countermeasure selection and recommendation
CRAMM contains a very large countermeasure library consisting of over 3000 detailed countermeasures organised into over 70 logical groupings. The CRAMM software uses the measures of risks determined during the previous stage and compares them against the security level (a threshold level associated with each countermeasure) in order to identify if the risks are sufficiently great to justify the installation of a particular countermeasure. CRAMM provides a series of help facilities including backtracking, What If?, prioritisation functions and reporting tools to assist with the implementation of countermeasures and the active management of the identified risks.
For more detailed information about any of the features and tools included in the CRAMM information security toolkit, visit the Capabilities pages on this site.