Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Measuring Risk Assessment

from [security] Network Security [Permanent Link]
Subject: RE: Measuring Risk Assessment
Date: Thu, 22 Sep 2005 22:07:04 -0700 
I'm not sure how applicable this is, but its an idea.  

It's going to be difficult to show "improvements" in quality once a
process is under control.  Because generally, the idea is to maintain
that control rather than make huge changes.  So as things get closer to
perfect there are fewer major improvements to be cited.

You really can't show that you're fixing things that aren't broke.

The only thing that I can think of as support would be to work on
percentages of what risks are faced at present.  Or, somehow show
effects on management overhead, annual spending related to risk, or
other dollar values.  

Why is the initial risk reduction not useable?  Will the BS7799 not make
the firm available for other contracts?
(I would think if he could sell them on how it would affect the bottom
line he'd be in.)

-Anthony Towry




-------- Original Message --------
Subject: Measuring Risk Assessment
From: shankarnarayan.d@netsol.co.in
Date: Wed, September 21, 2005 4:07 am
To: security-basics@securityfocus.com

Hi,

We have successfully enabled an Organization achieve BS7799. We have 
conducted a Qualitative Risk Assessment for the different IT assets

As a part of periodic improvements the client periodically adds additional 
security measures/ tweaking current controls etc. The Client wants to now 
measure the effectiveness of adopting these controls to show visible proof to 
his management about the effectiveness of these controls and maybe adopting 
the standard.

Can I get some suggestions (irrespective of whether it is relevant to BS7799 
or not) as to how this client may show improvements to his management. 
Specifically, any metrics on how he may show effectiveness w/ respect to the 
"qualitative risk assessment". When he first implemented the Risk Treatment 
plan, he could show significant risk reduction, but (as an example), tweaks 
and changes now dont reduce a risk which is "High" to "Medium", they only 
bring it a few notches lower but still in "High"

Any inputs would be greatly appreciated. I am looking for something apart 
from standard inputs like compare the number of vulnerabilities/ security 
issues faced/ measuring the hits on Firewall/ IDS etc

Thanks,
Shankar
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Hard drive encryption in windows, Beauford, Jason
Next by Date:  Re: Anonymize internet access, Jeffrey F. Bloss
Previous by Thread:  RE: Measuring Risk Assessment, Craig Wright
Next by Thread:  RE: Measuring Risk Assessment, security
Indexes:  [Date] [Thread] [Top] [All Lists]