RE: Assessment Methodology

["Randy Golly" <rcgolly () vermeertexas com>]

I've used OCTAVE as a base and just modified it to what I was reporting.
Keeping right on the suggested guidelines gets a bit wordy and looses its
audience pretty quick.  It's a good base to work from though.


-----Original Message-----
From: robert () dyadsecurity com [mailto:robert () dyadsecurity com] 
Sent: Monday, October 25, 2004 6:58 PM
To: Paul Ryan
Cc: security-basics () securityfocus com
Subject: Re: Assessment Methodology

Paul Ryan(pryan () rogers wave ca)@Mon, Oct 25, 2004 at 02:40:53PM -0400:
> I am in the process of doing an audit on various portions of our IT
> infrastructure. I wanted to know everyone's opinions on what the preferred
> metric system is. I've been researching OCTAVE - my objective is to
provide
> a report with a scheme that easily reflects the status based on our
current
> policy. Something like pass,fail or compliance % - just brainstorming here

We've always done tests based on what we can actually measure.  We try to
represent findings in terms that clearly articulate what we measured.  As
far as methodologies that we've seen, evaluated, and used, I have had the
best practical results by using the Open Source Security Testing Methodology
Manual (www.OSSTMM.org) from the Institute for Security and Open
Methodologies (www.ISECOM.org).

Robert

-- 
Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert () dyadsecurity com
M - (949) 394-2033

Attachment: smime.p7s
Description: