RE: Information System Security Assessment Framework (ISSAF) Draft 0.1

[surreal () delusory org]

Disclaimer: I have a rule about not reading 1054-page PDFs while on
vacation, or maybe I'm waiting for the Oo version.

I can't help but wonder "why do this?", given the existance of the
OSSTMM.  How does this document differ? What's the niche being filled? 
I'm not saying it's not worthwhile, but I think those are valid
questions. 

I regret that I must now perform the ritual of After Christmas Sales;
SWMBO summons me.

Surreal 

OPSA, Cat Feeder.

> Yargs! That's a 1054 page PDF. There's a mispelling on page 544 though. 
> Some packets get "drooped". Not that I should be commenting on the 
> spelling of anyone else's work, since, as Bas says, "It's not a dave 
> post without a mispelling".
>
> My only request to the ISSAF is to turn the buzzword factor down just a 
> bit. Even the announcement is hard to read. If I had to describe the 
> pages I've read so far, I'd say "This PDF shows things you can learn 
> from hping2". But now I've scrolled to a different page, and it's 
> talking about OSPF router authentication stuff.
>
> Reasonably good Oracle section, it turns out. (Page 440)
>
> These guys need to convert it to OpenOffice format. It's hugely painful 
> to read large documents as a PDF. This thing is basically a book. It 
> reminds me of the Hackers Handbook, actually.
>
> -dave
>
>
> admoore () phreaker net wrote:
>
> > Dear Colleague,
> >
> > Today, the evaluation of Information Systems (IS) security in accordance with business requirements is a vital 
> > component of any organizations business strategy. While there are a few information security assessment standards, 
> > methodologies and frameworks that talk about what areas of security must be considered, they do not contain 
> > specifics on HOW and WHY existing security measures should be assessed, nor do they recommend controls to safeguard 
> > them.
> >
> > The Information System Security Assessment Framework (ISSAF) is a peer reviewed structured framework that 
> > categorizes information system security assessment into various domains & details specific evaluation or testing 
> > criteria for each of these domains. It aims to provide field inputs on security assessment that reflect real life 
> > scenarios. ISSAF should primarily be used to fulfill an organization’s security assessment requirements and may 
> > additionally be used as a reference for meeting other information security needs. ISSAF includes the crucial facet 
> > of security processes and, their assessment and hardening to get a complete picture of the vulnerabilities that 
> > might exists.
> >
> > The information in ISSAF is organized into well defined evaluation criteria, each of which has been reviewed by 
> > subject matter experts in that domain. These evaluation criteria include:
> > •    A description of the evaluation criteria.
> > •    Its aims & objectives
> > •    The pre-requisites for conducting the evaluations
> > •    The process for the evaluation
> > •    Displays the expected results
> > •    Recommended countermeasures
> > •    References to external documents
> >
> > A draft version of this framework is available at OISSG website at:
> > http://oissg.org/issaf01/issaf0.1.zip (5.59 MB) or http://oissg.org/issaf01/issaf0.1.pdf (12.6 MB)
> >
> > The Information System Security Assessment Framework (ISSAF) is an evolving document that will be expanded, amended 
> > and updated in future. To improve the usefulness of the future release of ISSAF, please take a moment to evaluate 
> > it. Your feedback is invaluable to OISSG's efforts to fully serve the profession and future ISSAF releases. The 
> > feedback form is given at the end of ISSAF; please email your feedback at feedback () oissg org. We will get back to 
> > you ASAP.
> >
> > Best regards,
> > A.D. Moore
> >
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave () lists immunitysec com
> > https://lists.immunitysec.com/mailman/listinfo/dailydave
> >  
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> https://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave