Penetration Testing mailing list archives
RE: Sample Risk Assessment Report
From: "Tyler Markowsky" <tyler.markowsky () seccuris com>
Date: Fri, 14 Jan 2005 12:29:06 -0600
I am confused by your definition of assets scure. Can you please clarify? On assets: Are network devices not assets? Does it not follow that if you have scanned, identified and analyzed technical vulnerabilities, then you could have also identified a risk to an asset? (assuming your technical analysis phase involves some form of quantitative / qualitative classification) I agree that business risks differ from technical risks; however doesn't the failure of an asset (potentially) lead to the failure a business process(es), which can (potentially) upset a critical business function(s)? On methodology: I cannot discuss methodology in detail, but I can say that threat risk assessments are not set in stone. Each and every client has specific needs and concerns which require you to adapt your internal and external processes. This in turn affects your analysis and therefore your deliverables. (This is why scure and I have more questions than answers mambo) Having said this, you would not be able to identify those specific client needs without preliminary definition of need from a business threat-risk perspective. Best, Tyler Markowsky Information Risk Analyst Seccuris http://www.seccuris.com -----Original Message----- From: Cure, Samuel J [mailto:scure () kpmg com] Sent: Friday, January 14, 2005 11:38 AM To: 'Tyler Markowsky'; 'Mambo'; pen-test () securityfocus com Subject: RE: Sample Risk Assessment Report This raises a question. Is this a top down approach or bottom up approach based on the OSI model with business layer being on top? The challenge with mapping assets to vulnerabilities using a bottom up approach is the ability to identify business risk associated with findings. If a bottom up approach is being used, then the technical assessments are performed first. Therefore, trying to identify the assets or business risk after the technical assessment is performed increases the chance of missing something with business impact. As Tyler mentioned, target audience is key and I concur with the report content he listed. Others? Thoughts? -scure -----Original Message----- From: Tyler Markowsky [mailto:tyler.markowsky () seccuris com] Sent: Thursday, January 13, 2005 6:10 PM To: 'Mambo'; pen-test () securityfocus com Subject: RE: Sample Risk Assessment Report Hello Mambo- Who will be the audience of this report? Board-level? Executive management? IT Security professionals? Depending on who will be reading it, try to apply your knowledge of the organizations assets and critical business functions to the discovered vulnerabilities. This will provide value to not only those who are highly technical, but also those who are not. Best, Tyler Markowsky Information Risk Analyst Seccuris -----Original Message----- From: Mambo [mailto:mamboz () gmail com] Sent: Thursday, January 13, 2005 5:04 AM To: pen-test () securityfocus com Subject: Sample Risk Assessment Report Hi All, Any idea about any sample Risk Assessment Report's available on the net. Was searching but got very few which are not worth mentioning. Cheers Mambo """Security-- Someone gave birth...But i Own it..now...""" **************************************************************************** * The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. **************************************************************************** *
Current thread:
- Sample Risk Assessment Report Mambo (Jan 13)
- RE: Sample Risk Assessment Report Tyler Markowsky (Jan 14)
- RE: Sample Risk Assessment Report James Williams (Jan 14)
- <Possible follow-ups>
- RE: Sample Risk Assessment Report Todd Towles (Jan 13)
- Re: Sample Risk Assessment Report infosecgod (Jan 14)
- RE: Sample Risk Assessment Report Cure, Samuel J (Jan 14)
- RE: Sample Risk Assessment Report Tyler Markowsky (Jan 14)
- RE: Sample Risk Assessment Report Cure, Samuel J (Jan 14)