Re: Paper on why I need a security Assessment

From: Bennett Todd (betat_private)
Date: Wed Feb 02 2000 - 05:44:52 PST

Next message: Doty, Ted (ISSAtlanta): "RE: Paper on why I need a security Assessment"

Previous message: Moore, James: "RE: Paper on why I need a security Assessment"
Maybe in reply to: Matt McClung: "Paper on why I need a security Assessment"
Next in thread: Doty, Ted (ISSAtlanta): "RE: Paper on why I need a security Assessment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--CGDBiGfvSTbxKZlW
Content-Type: text/plain; charset=us-ascii

2000-02-01-16:09:09 Matt McClung:
> I am looking for a good paper on why a company should perform a
> security assessment.

I'm going to take a liberty and assume that a security assessment is
the same thing as a security audit. Given that assumption, I'll take
a stab at this one.

There are two categories of reason you might want a security audit,
associated with the two sorts of audits. Very roughly you can call
them internal and external. An internal audit is for your own
benefit; it's requested by your own organization, the results are
reported only to your own organization, and the intent is that the
auditing process teaches you somthing about security and how to make
it better. An internal audit can be conducted by your own staff, if
you have the expertise. You can get an internal audit conducted by
outside experts, but it takes some doing to get real experts that
can teach you enough to be useful (I loved the recent Dilbert on the
Bait-n-Switch consulting company:-).

An external audit is conducted for someone else's benefit. Perhaps a
parent organization, perhaps a potential investor or purchaser.
External financial audits are often part of financial reporting
practices.

I've written more about this in my paper on auditing firewalls,
available from <URL:http://www.itsecurity.com/papers/p5.htm>.

To answer your question another way, solely from the perspective of
internal audits: doing security _right_ is hard. It can be a big
help to get someone with a fresh point of view to review your work
and possibly recommend improvements. And if they don't recommend
any, that's a really satisfying endorsement of your work.

-Bennett

--CGDBiGfvSTbxKZlW
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4mDTUL6KAps40sTYRAddRAJwIK825eDN0h53lk6hq8dGrzeqY/ACdG+9B
FsapKNAbllW2RsTgKGgqdwc=
=YQqj
-----END PGP SIGNATURE-----

--CGDBiGfvSTbxKZlW--

Next message: Doty, Ted (ISSAtlanta): "RE: Paper on why I need a security Assessment"
Previous message: Moore, James: "RE: Paper on why I need a security Assessment"
Maybe in reply to: Matt McClung: "Paper on why I need a security Assessment"
Next in thread: Doty, Ted (ISSAtlanta): "RE: Paper on why I need a security Assessment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:04 PDT