Dailydave mailing list archives
RE: Information System Security Assessment Framework (ISSAF) Draft 0.1
From: surreal () delusory org
Date: Fri, 31 Dec 2004 11:41:00 -0700
Disclaimer: I have a rule about not reading 1054-page PDFs while on vacation, or maybe I'm waiting for the Oo version. I can't help but wonder "why do this?", given the existance of the OSSTMM. How does this document differ? What's the niche being filled? I'm not saying it's not worthwhile, but I think those are valid questions. I regret that I must now perform the ritual of After Christmas Sales; SWMBO summons me. Surreal OPSA, Cat Feeder.
Yargs! That's a 1054 page PDF. There's a mispelling on page 544 though. Some packets get "drooped". Not that I should be commenting on the spelling of anyone else's work, since, as Bas says, "It's not a dave post without a mispelling". My only request to the ISSAF is to turn the buzzword factor down just a bit. Even the announcement is hard to read. If I had to describe the pages I've read so far, I'd say "This PDF shows things you can learn from hping2". But now I've scrolled to a different page, and it's talking about OSPF router authentication stuff. Reasonably good Oracle section, it turns out. (Page 440) These guys need to convert it to OpenOffice format. It's hugely painful to read large documents as a PDF. This thing is basically a book. It reminds me of the Hackers Handbook, actually. -dave admoore () phreaker net wrote:Dear Colleague, Today, the evaluation of Information Systems (IS) security in accordance with business requirements is a vital component of any organizations business strategy. While there are a few information security assessment standards, methodologies and frameworks that talk about what areas of security must be considered, they do not contain specifics on HOW and WHY existing security measures should be assessed, nor do they recommend controls to safeguard them. The Information System Security Assessment Framework (ISSAF) is a peer reviewed structured framework that categorizes information system security assessment into various domains & details specific evaluation or testing criteria for each of these domains. It aims to provide field inputs on security assessment that reflect real life scenarios. ISSAF should primarily be used to fulfill an organizations security assessment requirements and may additionally be used as a reference for meeting other information security needs. ISSAF includes the crucial facet of security processes and, their assessment and hardening to get a complete picture of the vulnerabilities that might exists. The information in ISSAF is organized into well defined evaluation criteria, each of which has been reviewed by subject matter experts in that domain. These evaluation criteria include: A description of the evaluation criteria. Its aims & objectives The pre-requisites for conducting the evaluations The process for the evaluation Displays the expected results Recommended countermeasures References to external documents A draft version of this framework is available at OISSG website at: http://oissg.org/issaf01/issaf0.1.zip (5.59 MB) or http://oissg.org/issaf01/issaf0.1.pdf (12.6 MB) The Information System Security Assessment Framework (ISSAF) is an evolving document that will be expanded, amended and updated in future. To improve the usefulness of the future release of ISSAF, please take a moment to evaluate it. Your feedback is invaluable to OISSG's efforts to fully serve the profession and future ISSAF releases. The feedback form is given at the end of ISSAF; please email your feedback at feedback () oissg org. We will get back to you ASAP. Best regards, A.D. Moore _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- RE: Information System Security Assessment Framework (ISSAF) Draft 0.1 surreal (Dec 31)