Penetration Testing mailing list archives
RE: Sample Risk Assessment Report
From: "Cure, Samuel J" <scure () kpmg com>
Date: Fri, 14 Jan 2005 12:37:33 -0500
This raises a question. Is this a top down approach or bottom up approach based on the OSI model with business layer being on top? The challenge with mapping assets to vulnerabilities using a bottom up approach is the ability to identify business risk associated with findings. If a bottom up approach is being used, then the technical assessments are performed first. Therefore, trying to identify the assets or business risk after the technical assessment is performed increases the chance of missing something with business impact. As Tyler mentioned, target audience is key and I concur with the report content he listed. Others? Thoughts? -scure -----Original Message----- From: Tyler Markowsky [mailto:tyler.markowsky () seccuris com] Sent: Thursday, January 13, 2005 6:10 PM To: 'Mambo'; pen-test () securityfocus com Subject: RE: Sample Risk Assessment Report Hello Mambo- Who will be the audience of this report? Board-level? Executive management? IT Security professionals? Depending on who will be reading it, try to apply your knowledge of the organizations assets and critical business functions to the discovered vulnerabilities. This will provide value to not only those who are highly technical, but also those who are not. Best, Tyler Markowsky Information Risk Analyst Seccuris -----Original Message----- From: Mambo [mailto:mamboz () gmail com] Sent: Thursday, January 13, 2005 5:04 AM To: pen-test () securityfocus com Subject: Sample Risk Assessment Report Hi All, Any idea about any sample Risk Assessment Report's available on the net. Was searching but got very few which are not worth mentioning. Cheers Mambo """Security-- Someone gave birth...But i Own it..now...""" ***************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. *****************************************************************************
Current thread:
- Sample Risk Assessment Report Mambo (Jan 13)
- RE: Sample Risk Assessment Report Tyler Markowsky (Jan 14)
- RE: Sample Risk Assessment Report James Williams (Jan 14)
- <Possible follow-ups>
- RE: Sample Risk Assessment Report Todd Towles (Jan 13)
- Re: Sample Risk Assessment Report infosecgod (Jan 14)
- RE: Sample Risk Assessment Report Cure, Samuel J (Jan 14)
- RE: Sample Risk Assessment Report Tyler Markowsky (Jan 14)
- RE: Sample Risk Assessment Report Cure, Samuel J (Jan 14)