Re: Internet Security Review

[Steve Kruse <jsk347 () worldnet att net>]

Ok folks...Mark (in a private E-Mail) pointed out a serious mistake I made
here.  I said "takes several days to complete".  What I should have said
"takes several weeks or months to complete".  The real time involved is on
the auditEE's part, not the auditOR's part, in that before they can do a
serious evaluation, you must spend many many many hours preparing precise
detailed information.  The work of making detailed maps, listing operating
systems, programs, rev/release levels, connections, policies, access-lists,
firewall rules blah blah blah...must all be done before they ever set foot
on site.  Once on site, the time they are actually there doing the audit
ranges on the complexity of the network from days to weeks.  THEN, after
the audit is completed, they will take some amount of time (up to another
several weeks) preparing the report for executive management.  So...comment
gracefully accepted, Mark.  Good point!

Steve Kruse

> Date: Mon, 13 Oct 1997 13:44:30 -0400
> To: Mark Teicher <mht () clark net>, firewall-wizards () nfr net
> From: Steve Kruse <jsk347 () worldnet att net>
> Subject: Re: Internet Security Review
> In-Reply-To: <3.0.3.32.19971013021555.0335e108 () clark net>
> References: <19971012093330.51100 () rahul net>
<3.0.3.32.19971012105705.0093c120 () mail iss net>
<3.0.3.32.19971007073301.0093c100 () mail iss net>
<01BCD21F.1EC81720@gcrum () us-state gov>
<01BCD21F.1EC81720@gcrum () us-state gov>
<3.0.3.32.19971007073301.0093c100 () mail iss net> <19971007061828.59416@rahul.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> At 06:15 AM 10/13/97 +0000, Mark Teicher wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > What are people's thoughts on what an Internet Security Review is??  
>
> > What tools or programs would one use while conducting one, and how 
> > would one go about conducting one?
> >
> >
> > /mht

> > > > > > > > > > Lots of stuff deleted to SAVE some bandwidth! <<<<<<<<<<

> Most "complete" audits will take several days to complete and will 
> require many hours of preparation, such as providing network maps, 
> complete policy documentation, meetings with legal council, MIS, and 
> executive staff, etc. before the actual assessment (audit) actually 
> begins.  Not an undertaking for the "cash impaired" or the "feel good 
> all over" level some companies are looking for.  
>
> Comments welcome - Flames Ignored!

*****************************************************
* Steve Kruse               Milkyway Networks       *
* Network Systems Engineer  1342 E. Vine St. #224   *
* 407-847-8977 Voice        Kissimmee, FL 34744     *
* 407-847-7203 Fax          http://www.milkyway.com *
*****************************************************