Security Basics mailing list archives
RE: Risk assesment
From: aaa () bbb com
Date: 1 Jun 2009 22:34:50 -0000
I couldn't find your last reply on the list, so I'm replying to 'myself'. The first report covers risk/vulnerabilities. The second is a way of color coding data values for use in other places. Your valuations may be different than those in the example but they are a good starting point. First, why aren't your examples adequate. Use them as a starting point. Create a sheet for each "IT Resource", computer/software/firewall etc. Research to create your own (or auditor supplied) list of potential risks. Get the appropriate person to assign High/Med/Low/None values to the probability and severity of each risk you've identified as being relevant to this resource. Then use the matrix to convert the relative valuations into a numeric value that people can more easily relate to. The degree of each risk is always relative to your business. So you don't assign risk values, get the appropriate "data owner" to assign values. You or your boss can do it for IT. Second, ask the auditors to tell you exactly what THEY want/expect, rather than guessing or asking us. Although IT pro's tend to think of auditors as "the enemy" or "the devil incarnate" or some such, they are not. Think of them as your partners in securing corporate data. You do the "hard work" and they come along and being know-it-alls tell you what you've done wrong. So get them to provide you with an exact definition or example of what they need to be happy. The first step in the whole process will be to identify the IT resources (on a regular scheduled basis, weekly/monthly, would be best). Use one of the network enabled inventory tools like Belarc, Secunia, SUMo that will scan your network, identify all hardware, and all software on the hardware. Secunia and Sumo will also report software that needs patching/updating and provide links. So you run the scanner, fit the results into the matrix then start working on the high value ("4") issues first. If you can automate the matrix step it will speed life up for you. At some point you will have to submit the report to the auditor. At that time you will have to justify why known faults are not fixed. For some a valid answer will be, "but it is brand new, just identified 1 day ago". For others "the rating is so low, 0/1/2, that we have not had time to deal with it because we have been dealing with higher priorities". If you set up a process to run the scans regularly, and patch the highest priorities as quickly as possible, and lower priorities on time available basis, you won't have a lot to defend. And your company IT resources will be much more secure than the average "out there". Oh yes, unless your company is only 1 or 2 servers and 5 to 10 user desktops I'm willing to bet right now that your report will be much more than 30 pages. In that case you might want to investigate putting the generated inventory data into a DB so that you can track when problem is identified and when/how/who fixed the problem (which is probably also something the auditors will want to know). Then you can generate an report in any format the auditors want. And the DB will be helpful in generating reports for your mgmt. It is also probably safe to say that they don't have a clue how many vulnerabilities are out there that we have to keep up with. Good at budget time when they ask "what have you done for me lately". ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- RE: Risk assesment aaa (Jun 02)
- RE: Risk assesment Dan Vultur (Jun 03)
- <Possible follow-ups>
- RE: Risk assesment aaa (Jun 15)