The technique must be risk analysis, considering the actual risks,
vulnerabilities and loss costs estimation.
If you want to measure, you must reduce everything to numbers. Start with
the loss costs for your confidentiality, integrity and availability...
Identify the vulnerabilities and the probability of a specific accident ...
Define levels of security and the types of possible enemies ...
At the end you will get 2/3 charts that have the measure of your security
...
Don't forget the physical security issue, considering your security in a
holistic approach (people, facilities and information)
Of course this is the telegraphic way to explain it, but with lots of hints
to start
FM
----- Original Message -----
From: "Toto A Atmojo" <toto@playon.co.id>
To: <pen-test@securityfocus.com>; <security-management@securityfocus.com>;
<secpapers@securityfocus.com>; <focus-linux@securityfocus.com>;
<libnet@securityfocus.com>; <firewalls@securityfocus.com>;
<security-basics@securityfocus.com>
Sent: Thursday, July 28, 2005 11:02 AM
Subject: Is there any way to measure IT Security??
Dear all,
Currently I'm looking for a tool, or a technique to measure IT security?
The baseline for security is CIA (Confidentiality, Integrity and
Availability), that is every organization which want to called secure
must
be guarantee that their system comply this matter.
But the problem is, we need a tool/technique to measure how secure are
we.
Therefore, wee need a tool/technique to measure how close that our system
status now to CIA.
Please share your experience about this matter.
If there any link about this issue, I really appreciate if you share to
us
(You may contact me privately) .
Best Regs,
Toto
--------------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.9.6/59 - Release Date: 27-07-2005
