Sounds like you're talking about risk management - that's the "why" for doing a security assessment. I'd recommend you take a look at some of the material at NIST's website first. They have done some good work, and their material is free of vendor/consultant bias - your tax dollars at work :). If you're interested go to: http://csrc.nist.gov and search for the following documents: NIST Special Publication 800-18, NIST Special Publication 800-12, (see Chap 7 for an overview, Chap 20 for a case study) Jim Moore 256.461.4381 ----------- PGP PUBLIC KEY FINGERPRINT ------------ 1D9C 3AC3 34E6 EEDF 22B9 7886 7797 6908 048F 049B --------------------------------------------------- > -----Original Message----- > From: Matt McClung [SMTP:mmcclungat_private] > Sent: Tuesday, February 01, 2000 3:09 PM > To: firewall-wizardsat_private > Subject: Paper on why I need a security Assessment > > I am looking for a good paper on why a company should perform a security > assessment. Not the What is an assessment type of paper, but a WHY - If I > don't do anything then what? > > Example: If you don't check the configuration of your web server, you may > leave a default server setting that allows for a system compromise using a > well known scripting tool. > > Anyone have a link to something like this? > > Matt
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:02 PDT