RE: Is there any way to measure IT Security??

SSE CMM might be a good approach for "measuring security". The library in
http://www.sse-cmm.org/lib/lib.asp may be of help. One of the reasons for
development of SSE - CMM is "advance security engineering as a defined,
mature and measurable discipline"

Most personnel forget that defining, using and implementing security
processes are very critical to the Organization. How effectively these have
been implemented measures effectiveness of the security. While Technology
and the tools can provide that much security, unless people are aware of
processes that are involved in keeping, using, maintaining, updating and
upgrading these devices, there is no use of the devices. Additionally, one
should also look at effectively training people to ensure that they follow
the process and use the tools correctly. 

While a VA and a PT can effectively provide a measure of security from the
technical angle, process-wise BS7799 and IOS17799 provide a really good
benchmark. SSE - CMM adds to provide a measurable value to the BS and ISO.

More important do a good risk analysis - this is the foundation. Understand
what affects, you how, why, when........ The risk would be completely
different for the same device in multiple topologies and the best tool I
guess is the human brain for this


Rgds,
Shankar

-----Original Message-----
From: Marriott, Bill (US - Dallas) [mailto:bmarriott@deloitte.com] 
Sent: Thursday, August 04, 2005 1:25 AM
To: John Alexander; Gary Everekyan; irony@trini.org; toto@playon.co.id
Cc: pen-test@securityfocus.com; security-management@securityfocus.com;
secpapers@securityfocus.com; security-basics@securityfocus.com
Subject: RE: Is there any way to measure IT Security??

This is a good list, but somewhat incomplete.  I think you should
consider that security is not a destination, it is a process.  There are
plenty of sources out there that you can measure yourself against, from
a process point of view.  Check out the ISO17799 standard or the BS7799
standard, they outline the processes which go into a well developed
security program.  Or look at the Generally Accepted Information
Security Principles (under development -
http://www.issa.org/gaisp/gaisp.html).

The NSA IAM/IEM is a methodology for managing controlled
penetration/vulnerability for a particular system/app.  The OWASP is for
web application testing.  These might give you an idea of security
posture of one server or application, but not overall for your company.
This kind of testing makes up a small amount of managing a secure
organization. 

Take a look at the new ISO version, 2005.  This fall, there will be a
different ISO standard, 27001, which will allow a company to be
certified against the standard.
http://www.iso.org/iso/en/commcentre/pressreleases/2005/Ref963.html

Hope that helps.
/bpm 

-----Original Message-----
From: John Alexander [mailto:aj@adexec.com] 
Sent: Wednesday, August 03, 2005 4:21 AM
To: Gary Everekyan; irony@trini.org; toto@playon.co.id
Cc: pen-test@securityfocus.com; security-management@securityfocus.com;
secpapers@securityfocus.com; focus-linux@securityfocus.com;
libnet@securityfocus.com; firewalls@securityfocus.com;
security-basics@securityfocus.com
Subject: Re: Is there any way to measure IT Security??

Basically IT Security covers a gamut of areas, i am just listing some ,
on the fly

* Antivirus Solutions
* Intrusion Prevention
* Intrusion Detection
* Patch Management
* Firewall
* VPN Gateway
* Vulnerability Assessment & Reporting
* Identity Access Management (single-sign-on, SOX/HIPAA/GLB
compliance....)
* Network Security
* Security Policy Compliance Management
* AntiSpam (mail protection software)
* Web Content Filtering

I'm not sure whether we have one-size-fits-all solution which can help
us in measuring your enterprise IT Security posture.

I can list some good tools i have come across personally like NMap,
ScanFi, Nessus, IdentityAccess Manager,GFI ....but the list is endless,
so give them a try in google :-)



----- Original Message -----
From: "Gary Everekyan" <karo.onnik@bluetie.com>
To: irony@trini.org, toto@playon.co.id
Subject: Re: Is there any way to measure IT Security??
Date: Tue, 02 Aug 2005 14:32:30 -0400

> Google Risk reporting and you will get whole list of research links.
> It would also be helpful to look at owasp www.owasp.org
> HTH
> Regards,
>
> Gary Everekyan
> CISSP, CISM, ISSAP, ISSPCS, MCSE, MCT
> garyeve@Microsoft.com
> "High achievement always takes place in the framework of high 
> expectation" -Jack Kinder
>
>
> -----Original Message-----
> From: "Larry Marin (Irony Account)" [irony@trini.org]
> Date: 08/02/2005 01:09 PM
>
> You should check out NSA IAM/IEM Methodology...it works well for me.
> http://www.iatrp.com/iam.cfm
>
>
> Toto A Atmojo wrote:
>
> > Dear all,
> >
> > Currently I'm looking for a tool, or a technique to measure IT
security?
> > The baseline for security is CIA (Confidentiality, Integrity and 
> > Availability), that is every organization which want to called 
> > secure must be guarantee that their system comply this matter.
> >
> > But the problem is, we need a tool/technique to measure how 
> > secure are we. Therefore, wee need a tool/technique to measure 
> > how close that our system status now to CIA.
> >
> > Please share your experience about this matter.
> >
> > If there any link about this issue, I really appreciate if you 
> > share to us (You may contact me privately) .
> >
> > Best Regs,
> >
> > Toto


-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm


------------------------------------------------------------------------
------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You
Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
------------------------------------------------------------------------
------- 


This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law.  If
you are not the intended recipient, you should delete this message. Any
disclosure, copying, or distribution of this message, or the taking of any
action based on it, is strictly prohibited. [v.E.1]

----------------------------------------------------------------------------
--
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
----------------------------------------------------------------------------
---