History
CRAMM (CCTA Risk Analysis and Management Method) was created in 1987 by the Central Computing
and Telecommunications Agency (CCTA) of the United Kingdom government. CRAMM is currently on its
fifth version, CRAMM Version 5.0. It comprises three stages, each supported by objective questionnaires
and guidelines. The first two stages identify and analyze the risks to the system. The third stage
recommends how these risks should be managed. The three stages of CRAMM are as follows:
Stage 1 The establishment of the objectives for security by:
Defining the boundary for the study;
Identifying and valuing the physical assets that form part of the system;
Determining the ‘value’ of the data held by interviewing users about the potential business impacts that
could arise from unavailability, destruction, disclosure or modification;
Identifying and valuing the software assets that form part of the system.
Stage 2 The assessment of the risks to the proposed system and the requirements for security by:
Identifying and assessing the type and level of threats that may affect the system;
Assessing the extent of the system's vulnerabilities to the identified threats;
Combining threat and vulnerability assessments with asset values to calculate measures of risks.
Stage 3 Identification and selection of countermeasures that are commensurate with the measures of
risks calculated in Stage 2. CRAMM contains a very large countermeasure library consisting of over 3000
detailed countermeasures organised into over 70 logical groupings.
Website of this product:
http://www.cramm.com/overview/howitworks.htmHow CRAMM works
CRAMM provides a staged and disciplined approach embracing both technical (eg. IT hardware and
software) and non-technical (e.g. physical and human) aspects of security.
In order to assess these components, CRAMM is divided into three stages:
Asset identification and valuation
Threat and vulnerability assessment
Countermeasure selection and recommendation
Asset identification and valuation
CRAMM enables the reviewer to identify the physical (eg. IT hardware), software (eg. application
packages), data (eg. the information held on the IT system) and location assets that make up the
information system. Each of these assets can be valued.
Physical assets are valued in terms of the replacement cost. Data and software assets are valued in
terms of the impact that would result if the information were to be unavailable, destroyed, disclosed or
modified.
Threat and vulnerability assessment
Having understood the extent of potential problems, the next stage is to identify just how likely such
problems are to occur. CRAMM covers the full range of deliberate and accidental threats that may affect
information systems including:
Hacking
Viruses
Failures of equipment or software
Wilful damage or terrorism
Errors by people
This stage concludes by calculating the level of the underlying or actual risk.
Countermeasure selection and recommendation
CRAMM contains a very large countermeasure library consisting of over 3000 detailed countermeasures
organised into over 70 logical groupings. The CRAMM software uses the measures of risks determined
during the previous stage and compares them against the security level (a threshold level associated
with each countermeasure) in order to identify if the risks are sufficiently great to justify the installation
of a particular countermeasure. CRAMM provides a series of help facilities including backtracking, What
If?, prioritisation functions and reporting tools to assist with the implementation of countermeasures
and the active management of the identified risks.