RE: Risk assesment

[aaa () bbb com]

I couldn't find your last reply on the list, so I'm replying to 'myself'.

The first report covers risk/vulnerabilities.  The second is a way of color coding data values for use in other places. 
 Your valuations may be different than those in the example but they are a good starting point.  

First, why aren't your examples adequate.  Use them as a starting point.  Create a sheet for each "IT Resource", 
computer/software/firewall etc. Research to create your own (or auditor supplied) list of potential risks. Get the 
appropriate person to assign High/Med/Low/None values to the probability and severity of each risk you've identified as 
being relevant to this resource. Then use the matrix to convert the relative valuations into a numeric value that 
people can more easily relate to.  The degree of each risk is always relative to your business.  So you don't assign 
risk values, get the appropriate "data owner" to assign values.  You or your boss can do it for IT.

Second, ask the auditors to tell you exactly what THEY want/expect, rather than guessing or asking us.  Although IT 
pro's tend to think of auditors as "the enemy" or "the devil incarnate" or some such, they are not.  Think of them as 
your partners in securing corporate data.  You do the "hard work" and they come along and being know-it-alls tell you 
what you've done wrong.  So get them to provide you with an exact definition or example of what they need to be happy. 

The first step in the whole process will be to identify the IT resources (on a regular scheduled basis, weekly/monthly, 
would be best).  Use one of the network enabled inventory tools like Belarc, Secunia, SUMo that will scan your network, 
identify all hardware, and all software on the hardware.  Secunia and Sumo will also report software that needs 
patching/updating and provide links.  So you run the scanner, fit the results into the matrix then start working on the 
high value ("4") issues first.  If you can automate the matrix step it will speed life up for you.  At some point you 
will have to submit the report to the auditor.  At that time you will have to justify why known faults are not fixed.  
For some a valid answer will be, "but it is brand new, just identified 1 day ago".  For others "the rating is so low, 
0/1/2, that we have not had time to deal with it because we have been dealing with higher priorities".  

If you set up a process to run the scans regularly, and patch the highest priorities as quickly as possible, and lower 
priorities on time available basis, you won't have a lot to defend. And your company IT resources will be much more 
secure than the average "out there".

Oh yes, unless your company is only 1 or 2 servers and 5 to 10 user desktops I'm willing to bet right now that your 
report will be much more than 30 pages.  In that case you might want to investigate putting the generated inventory 
data into a DB so that you can track when problem is identified and when/how/who fixed the problem (which is probably 
also something the auditors will want to know).  Then you can generate an report in any format the auditors want.  And 
the DB will be helpful in generating reports for your mgmt.  It is also probably safe to say that they don't have a 
clue how many vulnerabilities are out there that we have to keep up with.  Good at budget time when they ask "what have 
you done for me lately".

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------