Firewall Wizards mailing list archives
RE: Paper on why I need a security Assessment
From: "Omar T. Fahnbulleh" <otariq () bellatlantic net>
Date: Sat, 5 Feb 2000 02:40:11 -0500
You can write your own Security assessment if you use RFC2196, I'll will attach it to this e-mail. -----Original Message----- From: owner-firewall-wizards () lists nfr net [mailto:owner-firewall-wizards () lists nfr net]On Behalf Of Bennett Todd Sent: Wednesday, February 02, 2000 8:45 AM To: Matt McClung Cc: firewall-wizards () nfr net Subject: Re: Paper on why I need a security Assessment 2000-02-01-16:09:09 Matt McClung:
I am looking for a good paper on why a company should perform a security assessment.
I'm going to take a liberty and assume that a security assessment is the same thing as a security audit. Given that assumption, I'll take a stab at this one. There are two categories of reason you might want a security audit, associated with the two sorts of audits. Very roughly you can call them internal and external. An internal audit is for your own benefit; it's requested by your own organization, the results are reported only to your own organization, and the intent is that the auditing process teaches you somthing about security and how to make it better. An internal audit can be conducted by your own staff, if you have the expertise. You can get an internal audit conducted by outside experts, but it takes some doing to get real experts that can teach you enough to be useful (I loved the recent Dilbert on the Bait-n-Switch consulting company:-). An external audit is conducted for someone else's benefit. Perhaps a parent organization, perhaps a potential investor or purchaser. External financial audits are often part of financial reporting practices. I've written more about this in my paper on auditing firewalls, available from <URL:http://www.itsecurity.com/papers/p5.htm>. To answer your question another way, solely from the perspective of internal audits: doing security _right_ is hard. It can be a big help to get someone with a fresh point of view to review your work and possibly recommend improvements. And if they don't recommend any, that's a really satisfying endorsement of your work. -Bennett
Attachment:
rfc2196.txt
Description:
Current thread:
- Paper on why I need a security Assessment Matt McClung (Feb 01)
- Re: Paper on why I need a security Assessment Bennett Todd (Feb 02)
- RE: Paper on why I need a security Assessment Omar T. Fahnbulleh (Feb 06)
- Re: Paper on why I need a security Assessment Bennett Todd (Feb 06)
- RE: Paper on why I need a security Assessment Omar T. Fahnbulleh (Feb 06)
- <Possible follow-ups>
- Re: Paper on why I need a security Assessment Antonomasia (Feb 02)
- Re: Paper on why I need a security Assessment jason . wang (Feb 02)
- RE: Paper on why I need a security Assessment Doty, Ted (ISSAtlanta) (Feb 02)
- RE: Paper on why I need a security Assessment Moore, James (Feb 02)
- Re: Paper on why I need a security Assessment Bennett Todd (Feb 02)