--CGDBiGfvSTbxKZlW Content-Type: text/plain; charset=us-ascii 2000-02-01-16:09:09 Matt McClung: > I am looking for a good paper on why a company should perform a > security assessment. I'm going to take a liberty and assume that a security assessment is the same thing as a security audit. Given that assumption, I'll take a stab at this one. There are two categories of reason you might want a security audit, associated with the two sorts of audits. Very roughly you can call them internal and external. An internal audit is for your own benefit; it's requested by your own organization, the results are reported only to your own organization, and the intent is that the auditing process teaches you somthing about security and how to make it better. An internal audit can be conducted by your own staff, if you have the expertise. You can get an internal audit conducted by outside experts, but it takes some doing to get real experts that can teach you enough to be useful (I loved the recent Dilbert on the Bait-n-Switch consulting company:-). An external audit is conducted for someone else's benefit. Perhaps a parent organization, perhaps a potential investor or purchaser. External financial audits are often part of financial reporting practices. I've written more about this in my paper on auditing firewalls, available from <URL:http://www.itsecurity.com/papers/p5.htm>. To answer your question another way, solely from the perspective of internal audits: doing security _right_ is hard. It can be a big help to get someone with a fresh point of view to review your work and possibly recommend improvements. And if they don't recommend any, that's a really satisfying endorsement of your work. -Bennett --CGDBiGfvSTbxKZlW Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4mDTUL6KAps40sTYRAddRAJwIK825eDN0h53lk6hq8dGrzeqY/ACdG+9B FsapKNAbllW2RsTgKGgqdwc= =YQqj -----END PGP SIGNATURE----- --CGDBiGfvSTbxKZlW--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:04 PDT