Many people are not surprised by the same set of methods. On the one hand, we should evaluate the risk as effectively and comprehensively as possible, and control it effectively according to the risk, which is from the perspective of the practicability of the evaluation and the effect on customers (that is, the project quality); On the other hand, we must ensure the progress of the project. Anyone who often makes assessments knows that the risk assessment should not be too detailed in the asset identification stage, and avoiding CMDB is to control the project progress.
Every company or individual may have a set of best methodology for risk assessment of information assets, which is usually accumulated, perfected or directly borrowed from years of practice, and is usually done by this set of so-called best practices (especially novices) when doing risk assessment for customers. However, this ignores a problem. The actual situation of each customer is different, and the scope of the project is different. The distribution and management of information assets, the actual cooperation of customers and whether customers need to pass certification are all different. In the actual implementation process, you may encounter that the original asset management of customers is very chaotic, there is a lack of centralized or unified people to understand and manage assets, the familiarity of personnel with assets is too scattered, whether the evaluation results should be combined with the insurance and security fields, whether customers have enough personnel and time to cooperate with your work, and so on.
Therefore, if the evaluation method cannot be well selected according to customers, it will sometimes affect the implementation of the project. Therefore, we need to adjust our evaluation methods and implementation methods according to the specific situation of customers, such as whether we choose to evaluate by department, by asset classification or by system grouping, and to what extent the granularity of asset classification should be achieved. In other words, we may have to master more than one set of risk assessment methods at the same time, or the same method cannot be applied to every project invariably. Of course, if you don't accept my point of view, I'm afraid it doesn't make much sense to read the following.