The gap analysis is far more complex than the rest of the issue. I
have considered this in great depth over time and have come to the
conclusion that these automated tools are of little value except in
keeping track of things that people understand and codify. I have a
set of books that try to cover these issues (look at http://asp-
press.com for details), but in the end, how protection is implemented
and to what extent it is implemented is highly context dependent and
without the ability to model the business and relate the model to
protection objectives with valuations or relative import and
mitigating factors with efficacy while understanding management risk
tolerance and the threat environment yields nearly useless results.
This is also what I see in reports from companies trying to automate
lots of these processes or use low-level folks to do assessments.
FC
On Jan 8, 2006, at 4:31 AM, sukh.gill1@btinternet.com wrote:
Hi All,
I’m presently conducting research for my final year dissertation;
the project entails creating a software application to help SME’s
assess their network security posture. Using a questionnaire based
database the application will highlight areas of concern and
provide a gap analysis report. Areas that I will touch on include:
Perimeter Firewalls, Router ACL’s, TCP wrappers, DMZ objects (SMTP
and Web servers), Virus and Proxy Servers, NOS, WLAN,IDS and DNS
servers.
I need the groups help on the following point:
What official network security standards can I use for my gap
analysis report?
Cheers,
S Gill
-- This communication is confidential to the parties it is intended
to serve --
Security Posture securityposture.com tel/fax
University of New Haven unhca.com 925-454-0171
Fred Cohen & Associates all.net 572 Leona Drive
ASP Press asp-presss.com Livermore, CA 94550
