I am confused by your definition of assets scure. Can you please clarify?
On assets:
Are network devices not assets? Does it not follow that if you have
scanned, identified and analyzed technical vulnerabilities, then you could
have also identified a risk to an asset? (assuming your technical analysis
phase involves some form of quantitative / qualitative classification)
I agree that business risks differ from technical risks; however doesn't the
failure of an asset (potentially) lead to the failure a business
process(es), which can (potentially) upset a critical business function(s)?
On methodology:
I cannot discuss methodology in detail, but I can say that threat risk
assessments are not set in stone. Each and every client has specific needs
and concerns which require you to adapt your internal and external
processes. This in turn affects your analysis and therefore your
deliverables. (This is why scure and I have more questions than answers
mambo) Having said this, you would not be able to identify those specific
client needs without preliminary definition of need from a business
threat-risk perspective.
Best,
Tyler Markowsky
Information Risk Analyst
Seccuris
http://www.seccuris.com
-----Original Message-----
From: Cure, Samuel J [mailto:scure@kpmg.com]
Sent: Friday, January 14, 2005 11:38 AM
To: 'Tyler Markowsky'; 'Mambo'; pen-test@securityfocus.com
Subject: RE: Sample Risk Assessment Report
This raises a question. Is this a top down approach or bottom up approach
based on the OSI model with business layer being on top? The challenge with
mapping assets to vulnerabilities using a bottom up approach is the ability
to identify business risk associated with findings. If a bottom up approach
is being used, then the technical assessments are performed first.
Therefore, trying to identify the assets or business risk after the
technical assessment is performed increases the chance of missing something
with business impact.
As Tyler mentioned, target audience is key and I concur with the report
content he listed.
Others? Thoughts?
-scure
-----Original Message-----
From: Tyler Markowsky [mailto:tyler.markowsky@seccuris.com]
Sent: Thursday, January 13, 2005 6:10 PM
To: 'Mambo'; pen-test@securityfocus.com
Subject: RE: Sample Risk Assessment Report
Hello Mambo-
Who will be the audience of this report? Board-level? Executive management?
IT Security professionals?
Depending on who will be reading it, try to apply your knowledge of the
organizations assets and critical business functions to the discovered
vulnerabilities. This will provide value to not only those who are highly
technical, but also those who are not.
Best,
Tyler Markowsky
Information Risk Analyst
Seccuris
-----Original Message-----
From: Mambo [mailto:mamboz@gmail.com]
Sent: Thursday, January 13, 2005 5:04 AM
To: pen-test@securityfocus.com
Subject: Sample Risk Assessment Report
Hi All,
Any idea about any sample Risk Assessment Report's available
on the net. Was searching but got very few which are not worth
mentioning.
Cheers
Mambo
"""Security-- Someone gave birth...But i Own it..now..."""
****************************************************************************
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
****************************************************************************
*
