RE: Paper on why I need a security Assessment

["Moore, James" <James.Moore () MSFC NASA GOV>]

Sounds like you're talking about risk management - that's the "why" for
doing a security assessment. I'd recommend you take a look at some of the
material at NIST's website first. They have done some good work, and their
material is free of vendor/consultant bias - your tax dollars at work :).

If you're interested go to: http://csrc.nist.gov and search for the
following documents:

NIST Special Publication 800-18,
NIST Special Publication 800-12, (see Chap 7 for an overview, Chap 20 for a
case study)

Jim Moore
256.461.4381

----------- PGP PUBLIC KEY FINGERPRINT ------------
1D9C 3AC3 34E6 EEDF 22B9  7886 7797 6908 048F 049B
---------------------------------------------------


> -----Original Message-----
> From: Matt McClung [SMTP:mmcclung () ndwcorp com]
> Sent: Tuesday, February 01, 2000 3:09 PM
> To:   firewall-wizards () nfr net
> Subject:      Paper on why I need a security Assessment
>
> I am looking for a good paper on why a company should perform a security
> assessment.  Not the What is an assessment type of paper, but a WHY - If I
> don't do anything then what?
>
> Example:  If you don't check the configuration of your web server, you may
> leave a default server setting that allows for a system compromise using a
> well known scripting tool.
>
> Anyone have a link to something like this?
>
> Matt