The four phases of PUSH are:

  • Preparation
    Defining audience and purpose of risk assessment.
  • Universe definition
    identifying and characterizing most critical assets, risks and controls.
  • Scoring
    choosing consistent scales to rate importance of assets, impact of risk and the effectiveness of controls.
  • Hitting the mark
    ensure risk assesment fulfils the purpose set out in the planning phase.

Risk Assessment Methodolgies

  • OCTAVE is a self-directed, interdisciplinary team, focusing on operational risk and security practices, performing risk analysis.
  • FRAP is a qualitative risk analysis approach that uses pre-screening to identify critical risk areas.
  • NIST is a qualitative risk assessment methodology established with healthcare in mind.
  • Failure modes and effect analysis” assess risk by examining the effects of failures on three levels.
  • CRAMM is an IT risk analysis method used in the British Government.