Re: Help With Risk Assessment

["kevin horvath" <kevin.horvath () gmail com>]

This is a bit off topic you might want to try to look at NIST 800-53
rev 2 and fips 200, particularly the appendices of 800-53.

On Wed, May 7, 2008 at 1:31 PM, Paul Melson <pmelson () gmail com> wrote:
> > I am looking for guidance on creating a matrix for a IT risk assessment.
>  > I am using the methdology from NIST SP 800-30 and am looking for specific
>  line items to add to the matrix.  Any help or
>  > pointers you can provide are appreciated in advance.  While looking for
>  something complete I am not necessarily looking
>  > for exhaustive (but can pare that down if need be).
>
>  I think this is a little off-topic for fw-wiz, but I know it's hard to find
>  lists to ask these questions to.  I defer to Paul as to whether or not he
>  wants to let the thread keep going.
>
>  If I were doing 800-30 and had a good inventory of systems and functions,
>  but not a good idea of what the potential vulnerabilities were, I might take
>  a look at something like the OCTAVE Catalog of Practices [1] (I don't know
>  if NIST has something like this for 800-30, but OCTAVE and 800-30 are
>  similar in that they are both risk assessment methodologies.) and work
>  backwards from the applicable practices.  Essentially you're doing a gap
>  analysis of your practices as a first step to the vulnerability analysis.
>  It wouldn't be perfect, but it's much easier to put into survey form and
>  collect data for.
>
>  Hope that helps!
>
>  PaulM
>
>  [1] http://www.cert.org/archive/pdf/01tr020.pdf
>
>
>
>
>  _______________________________________________
>  firewall-wizards mailing list
>  firewall-wizards () listserv icsalabs com
>  https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards