We have a couple of different risk assessment levels that we support -
ones for enterprise risk assessments, and one for IT project risk
assessments (security risks).
Our enterprise risk assessment activities are really focused on the
business-technology network and security process components, and uses a
combination of internal and external evaluations performed on various
aspects of the enterprise on a 6 to 18 month rotational basis - these
are also formed with our audit activities in mind as well (trying not to
duplicate too much).
For our IT project risk assessments, we have inserted ourselves into the
organizational CMM process and have two primary functions: 1)
Assessing risks and providing recommendations for risk mitigation; 2)
Providing security consulting on process development and engineering
activities. We use a spreadsheet to capture all of the relevant
information required for the project, and use it to develop our
workplan.
Putting together your framework, I would recommend taking a look at NIST
SP 800-30, SEI-CMM, FRAP, and a few others...
Thanks,
========================
Brad Bemis, CISSP, CISA, CBCP
Supervisor - Enterprise Security
Nordstrom, Inc.
(206) 233-5332
========================
Nordstrom's commitment to
superior customer service extends
to proper protection of the sensitive
personal information entrusted to us
by our customers.
_____
From: Alt, Brandon C. [mailto:altb@educationcentral.org]
Sent: Friday, September 24, 2004 5:39 AM
To: security-management@securityfocus.com
Subject: Project Plan for Assessments
Hi all.
I have performed several vulnerability assessment and also
general security assessments and I was wondering how everyone else
structures their assessments. Anyone have any "standard" suggestions for
the structure of assessments? Any suggestions as to developing project
plans for various types? How do you do it?
Thanks.
Brandon Alt
Information Security Manager
Technology Division
Duval County Public Schools
altb@educationcentral.org
904-348-7259
