using cvss to assess process problems

[robsonde () gmail com]

our IT managers have ask that we use CVSS to assess security issues for the last few months.

we have quite a good understanding of the system when it is used for "bugs".

but we have a few security issues that are more of a failure of process, people doing the wrong thing and such like.

these risks don't fit the CVSS frame work at all, but at the same time we can see that they are security issues that 
need to be assessed.

for example we have a problem where some people on the second level team don't understand unix groups and so keep 
adding the wrong people to the wrong groups.
the results is that staff get more access to the system than they should.

we can see several ways of fixing this problem, but the managers want to see us use CVSS to get a score for it.




how can we use CVSS to get a score for this kind of risk, is there another framework that may work better for this?



thanks.





------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------