Methinks "Ross Wright" <rwright@adnetsol.com> wrote:

On or About 31 Oct 96 at 12:19, Dr.Dimitri Vulis KOTM wrote:

...

which I assume is NOT what you have in mind :-) Do you mean something that'll take a survey of a company's computer security

Boom. Nail, head, one shot!!!! What's on the market now in that area?

...

and assess the risk (like Stan) or something more global?

The issues are:

Information Risk Assessment and Management and also Information Security Assessment.

...

AFAIK, there's no tool on the market to help in all aspects of risk management even for a small outfit, because there are so many sources of risk. There are many good specialized packages.

I beg to disagree. Tools, like checklists, are ok as far as a memory jogger goes (to make sure that you haven't overlooked something) but there is no way they can replace an assessment or audit by a seasoned Information Security Officer or professional. ISOs have eyes, ears, fingers, and a mind. Tools don't. Further, assessments & audits require a mindset - usually based on experience. A tool in the hands of an inexperienced person (be they consultant, or whatever) will more than likely result in major vulnerabilities being overlooked. There is no way a tool or checklist can have every possibility on it. (They don't make laptop hard drives big enough) 8^) As Murphy's Law goes, the vulnerability that isn't mentioned in the tool will be the one that a hacker will use to crack the systems and start peeling the corporation like a grape. Frequently, a reason people buy these tools are that they feel that the tools are more cost-effective than bringing in a consultant for the engagement. Their reasons for doing this are based on the fears that that the consultant's fee will be too high, and that when the consultant leaves, so does the knowledge he used to perform the assessment. In many cases, these fears are justified. (There are exceptions, however). The solutions to the above-mentioned problems are: o Shop around. Find out which consultants are qualified and what they charge. o Make sure the consultant caps his cost. You should know the maximum price tag associated with the consulting engagement BEFORE the consultant walks in the front door. This helps to avoid having the consultant camp on your doorstep at $XXX dollars per hour for days, weeks, or months on end. o Check the consultants to see if they have ever worked as an Information Security Officer. (Would you want to have eye surgery performed by someone who read a book about it, or by someone who had is experienced at the trade. IMHO, supplying textbook answers to non-textbook corporations is for the birds. o If the consultant is worth anything at all, they will walk the customer through the engagement (before the engagement is over) and TEACH them how to become self-sufficient in the areas of InfoSec which were part of the engagement. (Sounds counter-productive for business, but the word-of-mouth references are worth it. It is also more honest than milking the client as some people do. When the consultant leaves the site, the customer should know what the consultant did, and be able to follow the consultant's train-of-thought that led him to the recommend the particular solutions that he did. o Last, but not least, it also wouldn't hurt if they were professional enough to be a member of a consumer protection group (such as the Better Business Bureau, etc). This helps to keep the good guys honest and helps customers differentiate between the professionals and those who are out for a quick buck or just learned how to spell Information Security. Food for thought. Best Regards, Frank Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec <standard disclaimer> The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc. Fortified Networks Inc. - Information Security Consulting http://www.fortified.com Phone: (317) 573-0800 FAX: (317) 573-0817 Home of the Free Internet Firewall Evaluation Checklist