Home	About Gamma	Tour our Web Site	Events	White Papers	Services	Visitors' Book	How to contact us
				IMS	Internal Control	ISMS	Smart Cards	Common Criteria

Introduction

This paper attempts to provide the reader with an objective assessment of the UK Government's Risk Analysis and Management Method (CRAMM) and is based on the views of a qualified CRAMM practitioner. It identifies both the advantages and disadvantages of CRAMM. It also suggests scenarios for which the application of CRAMM may not be the most suitable approach to take. The assessment was performed in September 1997.

What is CRAMM?

The Method

All organisations own assets such as data, software, services, equipment, buildings etc., upon which they rely extensively for the successful running of their businesses. These assets may be at risk and therefore need to be protected.

A number of risk analysis and management methods have been proposed for both the commercial and government sectors: risk analysis is the assessment of the risks that may give rise to a security violation; risk management is concerned with identifying appropriate countermeasures to combat those risks. These methods are currently available either in the form of guidelines to be applied manually or as interactive software packages. One of these is CRAMM: the UK Government's Risk Analysis and Management Method.

The CRAMM method is owned, administered and maintained by the UK Security Service on behalf of the UK Government. The corresponding CRAMM tool has been developed by industry in consultation with the Security Service and CESG, who are the UK Government national security authorities.

In line with nearly all risk analysis methods CRAMM asserts that risk is dependent on the asset values, the threats, and the vulnerabilities. The values of these parameters are assessed by the CRAMM practitioner in a series of interviews with the owners of the assets, the users of the system, the technical support staff, and the departmental security officer. The outcome of a CRAMM review is a set of recommended countermeasures that are deemed necessary to combat the risks in protecting the information.

This process is shown diagrammatically in Figure 1 below.

Figure 1: The CRAMM Process

If used correctly, CRAMM can provide you with a number of benefits, the most important of which the CRAMM user manual identifies as being the ability to provide a method by which expenditure on security and contingency can be justified. This statement reflects the movement of UK Government away from a risk avoidance strategy towards a risk management strategy. In other words you should be aiming at containing the risk and reducing it to an acceptable level, rather than attempting to eliminate it at any cost. Another benefit is that CRAMM will assist you to assess requirements and options for contingency planning.

The Tool

The latest version of CRAMM (Version 3.0) has been implemented as an interactive software tool for identifying the security requirements of information processing systems. CRAMM is consistent with UK Government security policy and standards, and also with British Standard (BS) 7799:1995 — Code of Practice for Information Security Management (the original version).

The tool is available from CRAMM licensees in two customised variants: one for reviewing commercial systems (the Commercial Profile), the other for reviewing government systems (the Official Profile). The latter variant also includes a utility for deriving ITSEC assurance levels and security functionality in accordance with UK Government minimum standards.

When should I use it?

The need for trained CRAMM practitioners

Quite simply, if you've had no previous practical experience of using CRAMM, our advice is that you shouldn't! Instead you will either have to invest in CRAMM training for yourself or your staff from one of the CRAMM licensees, or pay for trained CRAMM practitioners to perform the CRAMM review for you. Even if you choose the former option you will find that the best results will only emerge after a period of practice.

Suitability

We believe that CRAMM is more suitable for systems that are already operational rather than systems which are in development. Whereas asset valuation can proceed in advance of final development proposals, a complete threat/vulnerability assessment cannot. For example, during the threat assessment interviews, questions such as what is the trend in the number of system or network software failures? cannot be answered accurately for systems in development, simply because the necessary data is unavailable.

We also believe that CRAMM is more suitable for systems installed and operated within static locations than for mobile systems. This is because the physical and procedural countermeasures in the database tend to be geared more towards systems located in buildings rather than systems on the move (e.g.,. on ships or aeroplanes).

The nature and complexity of a system has no influence on suitability. In principle any system can be the subject of a CRAMM review. However, care should always be taken not to use a sledgehammer to crack a nut.

How should I use it?

The CRAMM Review Process

A CRAMM review may be undertaken during system development or carried out retrospectively for existing systems. A full review proceeds in three stages in which:

• the assets are identified and valued;
• the likely threats and known vulnerabilities are quantified;
• the recommended countermeasures are generated.

At the completion of each stage information can be extracted from CRAMM in various formats. Some of these outputs contain information in predefined format and predefined order which can subsequently be processed into any required house-style using customised macros. For those systems where all the assets are of low value a short route through the method, known as a baseline review rather than a full review, is available and can be completed fairly quickly. In contrast to a baseline review, a full review can often take months to complete.

In addition to the direct benefit of generating countermeasures a full CRAMM review provides a thoroughly useful analysis of the information system. It enables the practitioner to build a system model encapsulating the asset interdependencies, and forces the users et al to identify which parts of the system support which business processes. The review can provide some surprisingly useful insights into system operational characteristics as well as a comprehensive appreciation of which assets are at greatest risk, due to what threats, and with what impacts should those threats succeed. For existing systems this can be a most revealing exercise, especially in those circumstances where the system has been developed in piecemeal fashion over a period of time.

Some Practical Tips

As with any tool, care and common sense must be exercised in how to use CRAMM.

For instance, when identifying the constituent assets for valuation, and grouping them for threat/vulnerability analysis, opting for too fine a level of granularity can give rise to unnecessarily excessive effort, whereas too coarse a level can give rise to misleading results. For example, an information system may handle many databases each of which model various aspects of the business. If each database were subject to the same quantifiable threats, then treating them as a single composite data asset for a threat/vulnerability assessment would be perfectly sensible; to treat them as separate data assets would be nugatory. If at the same time the impact on the business of a security breach were different for each database, then the databases would need to be valued separately; to value the data as a single composite asset would fail to expose the fact that the risk to each database might be different, requiring different levels of protection.

Another note of caution concerns the CRAMM countermeasure database. Although the database is awesomely extensive, it is nevertheless structured hierarchically and provides three levels of detail: security objectives, detailed countermeasure descriptions, implementation examples. Consequently, when you select the recommended countermeasures, you should be careful to choose a level of detail that is commensurate with the task in hand. For example, selecting the security objectives might be most appropriate for writing a security policy document, whereas including the corresponding detailed descriptions might be more appropriate for producing a design proposal.

Ultimately the purpose of a CRAMM review is to identify a recommended set of countermeasures, necessary to reduce the risks to an acceptable level, and to present these recommendations in the form of a Management Report. CRAMM offers guidelines as to how these reports should be structured but in our experience the recommended structures are not always appropriate. In particular the final (Stage 3) report may need to be tailored to meet the specific characteristics of the system and the organisation's house style.

Conclusions

In conclusion, CRAMM has its good points and its bad points. Some of the good points are:

• CRAMM offers a structured approach to risk analysis, based on a well established method;
• The tool encourages reviewers to perform a thorough security audit on information systems;
• The tool offers an extensive hierarchical countermeasure database;
• The tool allows reviewers sufficient flexibility in support of system modelling;
• The tool offers assistance in contingency planning.

Some of the bad points are:

• The tool should be used only by experienced CRAMM practitioners;
• Full reviews can take months rather than days;
• The tool generates far too much hard-copy output;
• The tool offers little flexibility for customising copy output to meet customers' house-styles;
• The tool is slow in operational performance.