Firewall Wizards mailing list archives
Re: Help With Risk Assessment
From: "kevin horvath" <kevin.horvath () gmail com>
Date: Wed, 7 May 2008 18:34:14 -0400
This is a bit off topic you might want to try to look at NIST 800-53 rev 2 and fips 200, particularly the appendices of 800-53. On Wed, May 7, 2008 at 1:31 PM, Paul Melson <pmelson () gmail com> wrote:
I am looking for guidance on creating a matrix for a IT risk assessment.> I am using the methdology from NIST SP 800-30 and am looking for specific line items to add to the matrix. Any help or > pointers you can provide are appreciated in advance. While looking for something complete I am not necessarily looking > for exhaustive (but can pare that down if need be). I think this is a little off-topic for fw-wiz, but I know it's hard to find lists to ask these questions to. I defer to Paul as to whether or not he wants to let the thread keep going. If I were doing 800-30 and had a good inventory of systems and functions, but not a good idea of what the potential vulnerabilities were, I might take a look at something like the OCTAVE Catalog of Practices [1] (I don't know if NIST has something like this for 800-30, but OCTAVE and 800-30 are similar in that they are both risk assessment methodologies.) and work backwards from the applicable practices. Essentially you're doing a gap analysis of your practices as a first step to the vulnerability analysis. It wouldn't be perfect, but it's much easier to put into survey form and collect data for. Hope that helps! PaulM [1] http://www.cert.org/archive/pdf/01tr020.pdf _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- LayerOne 2008 - Final Update Layer One (May 01)
- Help With Risk Assessment Mike LeBlanc (May 07)
- Re: Help With Risk Assessment Paul Melson (May 07)
- Re: Help With Risk Assessment kevin horvath (May 07)
- Re: Help With Risk Assessment Mike Davis (May 07)
- Re: Help With Risk Assessment Paul Melson (May 07)
- Help With Risk Assessment Mike LeBlanc (May 07)