Security Basics mailing list archives
Risk Assessment Basics
From: "Fahim S" <fahimdxb () gmail com>
Date: Wed, 25 Oct 2006 11:09:24 +0400
With an ISO 27001 LA course behind me, I am off to hitting my very first Security Assignment where I had to tacke a company's (quite bad) IT Audit report done by E&Y guys. Amingst various other issues raised by these guys that include 'Lack of segregation of duties", programmers having full access on production systems", lacking of program change management guidelines etc., etc....under clause titled Areas of Improvement is a listed "Risk Assessment" has never been carried out and no BCP exists. Now, the first thing I want to do is undertake Risk Assesmment and my understanding is, that in order to undertake Risk Assesment, I first need to create/organise an Asset Register enumerating all the IT Assets. I read quite a well written article here: http://www.networkmagazineindia.com/200212/security2.shtml The guys here have a list of most of the Assets (Servers/PCs/Printers etc) and I am using Eval version of Network View to get insights into the others that are missing, But what's the best practise? Is there a template to maintain An Asset Register? How would I valuate them after identification and further, I would also have to classify them. Am I right in undertaking this process to start with given the fact that various other points exist in the Auditors report? How should I start? Please Advise!! PS: We are not aiming for ISO 27001 certification anytime in the near future, I am only looking at it for best practices for now. --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Risk Assessment Basics Fahim S (Oct 25)
- <Possible follow-ups>
- RE: Risk Assessment Basics Laundrup, Jens (Oct 27)