Penetration Testing mailing list archives

Re: mapping vulnerabilities into high medium low risk

From: "Meritt James" <meritt_james () bah com>
Date: Fri, 19 Sep 2003 10:03:16 -0400

Concur.  It is a risk to them.  They know their resources and the value
they give them much more than you do.

I had a meeting with clients that went on for hours going over and over
this exact point.  Present your default position and let them
reword/rework as they see fit.  If you get their buy-in first, the
results will be much more acceptable.

Jim

Omar Herrera wrote:


This is the best approach in my opinion; Let the client decide what is
high, medium or low for him, because, now matter how much we know about
security, clients will always know their business better.



-- 
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL 
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment 
technology powered by the award-winning FoundScan engine. Try it free for  21 days at: 
http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------

Current thread:

Re: mapping vulnerabilities into high medium low risk Meritt James (Sep 19)
- <Possible follow-ups>
- Re: mapping vulnerabilities into high medium low risk George W. Capehart (Sep 19)