Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: BS7799 via Octave

from [falcon] Network Security [Permanent Link]
Subject: Re: BS7799 via Octave
Date: Wed, 3 Nov 2004 13:19:49 -0600 (CST) 
Hi Marian,


From my understanding (and per my strategic plan), OCTAVE is primarily a

high-level risk assessment tool aimed at senior/executive management.  It
has the output of identifying key risk areas, providing a nice snapshot of
the overall risk landscape, and helping set strategic security direction
for the organization.

BS7799 (or ISO17799) is then a nice generic framework for addressing
security strategically throughout the organization.  You would use the
OCTAVE output as an input for your framework development process,
leveraging it to make the best allocations of resources.  For example,
high value targets should receive more resource allocation for protection
than low-value targets (typically).  Stuff like that.

Beyond that, I've found that leveraging other methodologies, like
IA-CMM/IAM (http://www.iatrp.com/) or even CoBIT, can help you further
assess the effectiveness of your x7799-based framework and resultant
controls.  Most Big X auditors are using CoBIT right now because it has
been mapped to COSO for SarbOx compliance.  It's also rumoured to be in
the process of getting mapped to ISO 17799, which will further ease
audit/compliance/governance for x7799 orgs in the future.  I personally
like IA-CMM because it uses the base CMM model (with which I'm more
familiar and comfortable) and implements a nice, robust assurance program
without the nasty growing pains.  In other words, it's quite intuitive (to
me, anyway;).

Hope this helps you out.  Good luck with your implementation!

-ben

---
Benjamin Tomhave, CISSP
falcon@secureconsulting.net
http://falcon.secureconsulting.net/



Hello,

My company decided to use the Octave Method for risk assessment on our
journey to get a BS7799 certificate. Seems like I will do most of the
work. We are a factory producing several mid products for other consumer
products producer factories. Most of the information assets are on paper
rather than computers.

If anyone has experience in using the Octave method for risk analysis
before BS7799 certification, I will appreciate some help once in a
while. Any reading material you may suggest? Any conflicting issues you
faced during implementation?

One basic question.. Octave focuses on the most important assets while
BS7799 seems to ask for the ranking of all information assets. Seemed to
me lik a lot of work to evaluate all assets via Octave. I am planning to
follow 2 methods instead. Any experienced comments will be appreciated.

Thanks,
Marian



---------------------------------
 ALL-NEW Yahoo! Messenger - all new features - even more fun!
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Vulnerability Mitigation Management, Brian Tully
Next by Date:  Re: Vulnerability Mitigation Management, infosecgod
Previous by Thread:  BS7799 via Octave, Marian Gones
Next by Thread:  Vulnerability Mitigation Management, Brian Tully
Indexes:  [Date] [Thread] [Top] [All Lists]