Security Basics mailing list archives
RE: Assessment Methodology
From: "Randy Golly" <rcgolly () vermeertexas com>
Date: Tue, 26 Oct 2004 21:38:27 -0500
I've used OCTAVE as a base and just modified it to what I was reporting. Keeping right on the suggested guidelines gets a bit wordy and looses its audience pretty quick. It's a good base to work from though. -----Original Message----- From: robert () dyadsecurity com [mailto:robert () dyadsecurity com] Sent: Monday, October 25, 2004 6:58 PM To: Paul Ryan Cc: security-basics () securityfocus com Subject: Re: Assessment Methodology Paul Ryan(pryan () rogers wave ca)@Mon, Oct 25, 2004 at 02:40:53PM -0400:
I am in the process of doing an audit on various portions of our IT infrastructure. I wanted to know everyone's opinions on what the preferred metric system is. I've been researching OCTAVE - my objective is to
provide
a report with a scheme that easily reflects the status based on our
current
policy. Something like pass,fail or compliance % - just brainstorming here
We've always done tests based on what we can actually measure. We try to represent findings in terms that clearly articulate what we measured. As far as methodologies that we've seen, evaluated, and used, I have had the best practical results by using the Open Source Security Testing Methodology Manual (www.OSSTMM.org) from the Institute for Security and Open Methodologies (www.ISECOM.org). Robert -- Robert E. Lee CTO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert () dyadsecurity com M - (949) 394-2033
Attachment:
smime.p7s
Description:
Current thread:
- Assessment Methodology Paul Ryan (Oct 25)
- Re: Assessment Methodology robert (Oct 26)
- <Possible follow-ups>
- RE: Assessment Methodology Randy Golly (Oct 27)