Nadeem,
I am glad to hear that you were not confusing vulnerability scanning
and SRA. It sounds like you know what you are doing here. Sorry for
my confusion.
Also I would concur with most of the reply posts that give examples
like RiskWatch, NIST ASSET, and a few others. You may want to
consider the following points:
Flexibility: Some tools / methods have specific method that you must
follow (I believe CORBA falls in this camp). If this method works
for you great if not, this would not be a good tool for you.
Completeness: Some tools / methods automate or provide a process for
a portion of the risk assessment but don't cover all of it. I belive
OCTAVE and @RISK fall into this camp. OCTAVE provides a fraework for
handling the process but does not provide any method on the "how"
(the idea is that specific SRA methods would become "OCTAVE-
compliant"). @RISK is a fantastic tool for performing statistical
calculations, monte carlo simulation, etc. This is clearly only a
piece of the puzzle.
Rigor: Some recent tools including anything that calls itself
a "self-assessment" tool are lacking in rigor. If your SRA is meant
to be performed by those who implement the controls and finish in a
week or two then these tools are for you. Personally, I think it is
great to perform checks for workmanship, but I would never call
these risk assessments. I believe SRAs need to be performed
independently and not by the internal team that set up the security
controls.
Lastly, it sounds like you have a team that knows what they are
doing so I am not aiming this at you BUT I am generally worried
about the direction that some of these tools and methods can be
taking the industry if we start running these as an "automated
process." A security risk assessment is an objective review of the
security contols and their ability to meet business objectives. No
tool in the world can automate that process - it takes judgement and
analysis. Again, I think it is great to have tools that make the
number crunching and questionnaire distribution easier, but I fear
in the future SRAs will be peddled by local IT shops who have
learned an interface but not the discipline of security.
Regards,
Doug
------------------------ Yahoo! Groups Sponsor --------------------~-->
Make a clean sweep of pop-up ads. Yahoo! Companion Toolbar.
Now with Pop-Up Blocker. Get it for free!
http://us.click.yahoo.com/L5YrjA/eSIIAA/yQLSAA/kgFolB/TM
--------------------------------------------------------------------~->
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/CISSP-Discuss/
<*> To unsubscribe from this group, send an email to:
CISSP-Discuss-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
