Re: [fw-wiz] tunnel vs open a hole
From: Duncan Sharp (drsharp@pacbell.net)
Date: 04/17/03
- Previous message: Max Enders: "RE: [fw-wiz] ICMP destination unreachable messages"
- In reply to: George Capehart: "Re: [fw-wiz] tunnel vs open a hole"
- Next in thread: Magosányi Árpád: "Re: [fw-wiz] tunnel vs open a hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Duncan Sharp <drsharp@pacbell.net> Date: Wed, 16 Apr 2003 16:36:13 -0700
George Capehart wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thursday 10 April 2003 09:24 pm, Duncan Sharp wrote:
> >
>
> <snip> (I'm re-trying the reply to Duncan, the first time didn't make
> it through. He has raised some questions/issues that I think deserve
> to be addressed . . .)
>
All;
I too are still unsure of the true meaning of the following,
which was extracted (by my earlier posting) from COBIT FAQ section.
>
> > In trying to better understand Risk, COBIT eliminated "Risk
> > Statements" from
> > its Control Objectives in favor of "the pro-active approach
> > (objects are to be
> > achieved) over the reactive approach (risks are to be
> > mitigated)".
>
> I'm not sure that I understand what this statement means.
I have since downloaded more the documents from the site, to
include the Control, overview and framework.
The documents I had read from COBIT's site prior to downloading the
"Standards" were from Procedures of IS Auditing:
"IS Risk ASSESSMENT Measurement"
> I can address
> the segment: "eliminated 'Risk Statements' from its Control
> Objectives," though. In COBIT, 3rd Edition, High-level Control
> Objective PO9 is: Assess Risks. Under this high-level objective there
> are eight detailed objectives:
>
> 1. Business Risk Assessment
> 2. Risk Assessment Approach
This is the only section of PO9 that mentions security (Security
specialists identify
threats) and IT specialists (IT specialists identify control selection).
Management
leads this effort by setting the scope/framework, help identify
vulneabilites, and
lead the identification of the risk mitigation solution.
>
> 3. Risk Identification
Further defines item 2 above, and defines essential risk elements as:
[in]tangible assets, asset value, threats, vulnenabilities, safeguards,
consequences, and likelihood of threat. Now again further defines
item 2 to include such areas as legal, business,humanresources risks,
and so on. Defines management as the lead here.
>
> 4. Risk Measurement
This item only states that either a qualitative or quantitative result
come from the risk identification information asset. Identifies
management
as the lead here again.
>
> 5. Risk Action Plan
The Risk Action Plan makes suggests identifying actions as avoidance,
mitigation, acceptance.
>
> 6. Risk Acceptance
>
> 7. Safeguard Selection
> 8. Risk Assessment Commitment
>
>
> (from the COBIT 3rd Edition Control Objectives, July 2000)
>
> And in the 3rd Edition Audit Guidelines there is a whole section on
> evaluating how well those objectives are met. Some of the things that
> are looked at/for are:
>
These are from the "High Level Control Objective" for "Assessing Risks"
"And takes into consideration"
>
> - risk management ownership and accountability
> - different kinds of IT risks (technology, security, continuity,
> regulatory, etc.)
> - defined and communicated risk tolerance profile
> - root cause analyses and risk brainstorming sessions
> - quantitative and/or qualitative risk measurement
> - risk action plan
> - timely reassessment
>
> So there are some "Risk Statements" left . . . and, IMHO, they do a
> reasonable job of evaluating the risk management process.
Yes, I agree there are "Risk Statements" left.
But what appears to be been done is to avoid specifying any particular
security risk/threat/vulnerability as a risk item (or a risk to be
mitigated).
But rather allow identified security (or other types of) threats to
be
identified in terms of a business risk.
Or what the FAQ on "pro-active" risk statement meant is the section
"Delivery and Support" (5) subsection "Ensure Systems Security" 5.1 to
5.21 .
Which are objectives for IT security to implement and/or control.
Thank you for your post otherwise I would not have looked at all the
documents
at the site.
Yours,
Duncan
>
>
> BR
> - --
> George Capehart
>
> PGP Key ID 63F0F642 at http://pgp.mit.edu
>
> "Excuse of the day: We're on Token Ring, and it looks like the
> token got loose." -- BOfH
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE+meg5Yxuy9mPw9kIRArOuAJsHuNw3bAoQLglJvThrRJ/u/Um6agCdEK65
> rV2kG3rWnaNvAknwLi0q1xU=
> =tlqY
> -----END PGP SIGNATURE-----
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Max Enders: "RE: [fw-wiz] ICMP destination unreachable messages"
- In reply to: George Capehart: "Re: [fw-wiz] tunnel vs open a hole"
- Next in thread: Magosányi Árpád: "Re: [fw-wiz] tunnel vs open a hole"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
