Re: Risk Assessments

[Ken Shaurette <kmshaurette () MPCCORP COM>]

The point I would make in addition to the comments that Thomas has noted
are in reference to "audit".  If an organization is truly performing an
audit they are not able to make recommendations.  An audit should not be
making recommendations for independence reasons.  If it has
recommendations, analysis or an assessment was done of the finding,
subsequently a recommendation was made.  An auditor making
recommendations could not audit those recommendations in subsequent
years because there would be no independence.  

An audit can list how you rate or comply to a guideline/standard (ISO,
NIST, NSA) or to legal regulations (HIPAA, FISMA, GLBA, SARBOX) or to
some other industry convention.  The assessment (vulnerability or risk)
will provide education, coaching and evaluate any findings to provide
suggestions and alternatives for improvement, identify gaps between
current posture and desired posture, for compliance or rating compared
to some measurement.  

Some assessments will be simply a technical assessment, usually also
only a vulnerability assessment such as from Qualys.  However, a
vulnerability assessment could find vulnerabilities beyond just the
technology looking at policy, people and process.  A good combination is
generally an assessment that will provide the technical, but also mix in
a healthy amount of analysis of policy, people and process, in which
case you are often getting into the risk analysis side of the
institution to consider business and social climate in the organization
as well as take into account criticality and sensitivity of the
data/systems/applications/databases.  A pure "risk assessment" would
generally use either a qualitative or quantitative measurement to rate
an organizations risk using the formulas of risk management.

I'm sure this is a lot more than anyone wanted regarding this, but to
wrap up here are a few things you may want to consider in your
assessment choice. 

*       Cooperative versus stealthy or adversarial 
*       Penetration - do you need to prove a vulnerability can be
penetrated, takes more time and does it prove anything additional
*       Educational: will an outside vendor share knowledge as they
perform the work, will they let you learn from what they do
*       Be sure you get all the detail, not just a summary report, some
charge more for all the detail results
*       Final report format, make sure it gets delivered in a usable
structure, someone mentioned having it be easy to disseminate without
giving out the whole report, that may sound basic, but without special
effort it is not necessarily straightforward for that to happen. 

Areas you will probably want covered for a complete holistic assessment
should at least cover topic areas such as: 
*       Security policy review 
*       Virus protection review (all malicious code including SPAM,
Adware, Spyware) 
*       Technical External vulnerability scan 
*       Technical Internal vulnerability scan 
*       Wireless vulnerability 
*       Modem vulnerability 
*       Firewall review 
*       Intrusion detection/prevention
*       BC/DR Planning
*       Incident Management
*       Change/Patch Management
*       Physical security 

If you would like to talk offline about this let me know.

Ken 
------ 

Ken M. Shaurette, CISSP, CISA, CISM

MPC Solutions, www.mpcscorp.com
(P) (262) 523-3300 x60486 
(F) (208) 898-2383 
------ 
National Security Awareness Month - October 2004 - Be Aware It Doesn't
End When the Day is Done! 
------ 
******************************************** 



-----Original Message-----
From: Davis, Thomas R. [mailto:tdavis () IU EDU] 
Sent: Wednesday, November 17, 2004 6:46 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Risk Assessments


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ----Original Message----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alt, Brandon C.
Sent: Tuesday, November 16, 2004 10:47 AM To:
SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Risk Assessments

> developing a formal and complete risk assessment

Hi Brandon,
  The one thing I might add to the other posts is that it's all too
common for the terms "risk assessment" and "vulnerability assessment" to
be used incorrectly.  So, if you do end up contracting with an external
agency to develop and/or perform a risk assessment for you, you'll want
them to clearly articulate which you're going to pay for.
 ;-)  

  Vulnerability assessments tend to focus on network and host based
vulnerability scans (and perhaps physical security), and are one part of
an overall risk assessment.  Risk assessments take a broader view of the
entire business process and review other issues such as sensitivity of
the data (i.e., where should attention be focused), backups, disaster
recovery, policy, etc.

- -- 
Tom Davis, Information Technology Security Officer, CISSP, CISM Office
of the VP for Information Technology, Indiana University PGP key or
S/MIME certificate: https://www.itso.iu.edu/staff/tdavis/

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQZtH6nMQ7XQGtBENEQJmXACfR9VhrpVmqvicuYcMT1JcQnbzAgAAoING
XWw+Vv7XTRVcesRtapgGXstg
=xP2S
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

Disclaimer: 23/11/2004

MPC Computers is providing the following information in compliance with federal regulations:
 
MPC Computers, LLC
906 E. Karcher Road
Nampa, Idaho 83687
1-888-224-4247
http://www.mpccorp.com

To discontinue receiving e-mail communications from MPC in the future, please go to: 
http://www.mpccorp.com/email/manage.html and follow the instructions.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.