Educause Security Discussion mailing list archives
Re: Risk Assessments
From: Ken Shaurette <kmshaurette () MPCCORP COM>
Date: Tue, 23 Nov 2004 17:00:38 -0700
The point I would make in addition to the comments that Thomas has noted are in reference to "audit". If an organization is truly performing an audit they are not able to make recommendations. An audit should not be making recommendations for independence reasons. If it has recommendations, analysis or an assessment was done of the finding, subsequently a recommendation was made. An auditor making recommendations could not audit those recommendations in subsequent years because there would be no independence. An audit can list how you rate or comply to a guideline/standard (ISO, NIST, NSA) or to legal regulations (HIPAA, FISMA, GLBA, SARBOX) or to some other industry convention. The assessment (vulnerability or risk) will provide education, coaching and evaluate any findings to provide suggestions and alternatives for improvement, identify gaps between current posture and desired posture, for compliance or rating compared to some measurement. Some assessments will be simply a technical assessment, usually also only a vulnerability assessment such as from Qualys. However, a vulnerability assessment could find vulnerabilities beyond just the technology looking at policy, people and process. A good combination is generally an assessment that will provide the technical, but also mix in a healthy amount of analysis of policy, people and process, in which case you are often getting into the risk analysis side of the institution to consider business and social climate in the organization as well as take into account criticality and sensitivity of the data/systems/applications/databases. A pure "risk assessment" would generally use either a qualitative or quantitative measurement to rate an organizations risk using the formulas of risk management. I'm sure this is a lot more than anyone wanted regarding this, but to wrap up here are a few things you may want to consider in your assessment choice. * Cooperative versus stealthy or adversarial * Penetration - do you need to prove a vulnerability can be penetrated, takes more time and does it prove anything additional * Educational: will an outside vendor share knowledge as they perform the work, will they let you learn from what they do * Be sure you get all the detail, not just a summary report, some charge more for all the detail results * Final report format, make sure it gets delivered in a usable structure, someone mentioned having it be easy to disseminate without giving out the whole report, that may sound basic, but without special effort it is not necessarily straightforward for that to happen. Areas you will probably want covered for a complete holistic assessment should at least cover topic areas such as: * Security policy review * Virus protection review (all malicious code including SPAM, Adware, Spyware) * Technical External vulnerability scan * Technical Internal vulnerability scan * Wireless vulnerability * Modem vulnerability * Firewall review * Intrusion detection/prevention * BC/DR Planning * Incident Management * Change/Patch Management * Physical security If you would like to talk offline about this let me know. Ken ------ Ken M. Shaurette, CISSP, CISA, CISM MPC Solutions, www.mpcscorp.com (P) (262) 523-3300 x60486 (F) (208) 898-2383 ------ National Security Awareness Month - October 2004 - Be Aware It Doesn't End When the Day is Done! ------ ******************************************** -----Original Message----- From: Davis, Thomas R. [mailto:tdavis () IU EDU] Sent: Wednesday, November 17, 2004 6:46 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Risk Assessments -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----Original Message---- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alt, Brandon C. Sent: Tuesday, November 16, 2004 10:47 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Risk Assessments
developing a formal and complete risk assessment
Hi Brandon, The one thing I might add to the other posts is that it's all too common for the terms "risk assessment" and "vulnerability assessment" to be used incorrectly. So, if you do end up contracting with an external agency to develop and/or perform a risk assessment for you, you'll want them to clearly articulate which you're going to pay for. ;-) Vulnerability assessments tend to focus on network and host based vulnerability scans (and perhaps physical security), and are one part of an overall risk assessment. Risk assessments take a broader view of the entire business process and review other issues such as sensitivity of the data (i.e., where should attention be focused), backups, disaster recovery, policy, etc. - -- Tom Davis, Information Technology Security Officer, CISSP, CISM Office of the VP for Information Technology, Indiana University PGP key or S/MIME certificate: https://www.itso.iu.edu/staff/tdavis/ -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQZtH6nMQ7XQGtBENEQJmXACfR9VhrpVmqvicuYcMT1JcQnbzAgAAoING XWw+Vv7XTRVcesRtapgGXstg =xP2S -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. Disclaimer: 23/11/2004 MPC Computers is providing the following information in compliance with federal regulations: MPC Computers, LLC 906 E. Karcher Road Nampa, Idaho 83687 1-888-224-4247 http://www.mpccorp.com To discontinue receiving e-mail communications from MPC in the future, please go to: http://www.mpccorp.com/email/manage.html and follow the instructions. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Risk Assessments Tim Lane (Nov 16)
- <Possible follow-ups>
- Risk Assessments Alt, Brandon C. (Nov 16)
- Re: Risk Assessments Mike Erickson (Nov 16)
- Re: Risk Assessments Jamie A. Stapleton (Nov 16)
- Re: Risk Assessments Davis, Thomas R. (Nov 17)
- Re: Risk Assessments Ken Shaurette (Nov 23)
- Re: Risk Assessments Havens, Ben (Nov 24)
- Re: Risk Assessments Melissa Guenther (Nov 24)
- Re: Risk Assessments Scholz, Greg (Nov 24)
- Re: Risk Assessments Ken Shaurette (Nov 24)
- Re: Risk Assessments Ken Shaurette (Nov 24)