Re: Sample Risk Assessment Report

[<infosecgod () gmail com>]

In-Reply-To: <9E97F0997FB84D42B221B9FB203EFA276E9563 () dc1ms2 msad brookshires net>



> If you use some Google hacking you can find security scan reports. =3D)
> Not exactly what you want..but
>
> Nessus
> http://www.computec.ch/dokumente/windows/sicherheit_von_windows/2-scanni
> ng/nessus-report.html
> http://mrcorp.infosecwriters.com/os_scan/xpscan/default/default.html
> http://www.rit.edu/~wjh3710/pub/old.html
> http://www.kefk.net/Admin/Nessus/kefk_net/

It is important to understand the difference between a vulnerability scanner report - which these are - and what has 
been requested - a risk assessment report.

This is one of the main reasons why security has gotten a bad name for itself in the corporate world - IT/security 
managers do not want to see another list of things they need to do (fix).  A risk assessment takes the information 
delivered by the scanners and other testing techniques and provides understanding of the scanning results within the 
context of business risks. This means that using Nessus/ISS/eEYE results do NOT equal risk assessment.  These tools are 
important parts of the risk assessment process but do not represent risk assessment.

Risk assessments assign values to IT assets and use these values to understand risk within a business context. A better 
area to look would be at the risk methodologies themselves such as – 

http://www.security-risk-analysis.com/
http://www.cert.org/octave/
http://www.riskworld.net/

are good places to start

J/