Re: SME risk assessment (Was: Bank Assessment)
From: Jason High (strongcypher_at_hotmail.com)
Date: 04/26/04
- Previous message: Leewarner, Joshua (US - Seattle): "RE: Tools to test web services"
- Maybe in reply to: fergus: "Re: SME risk assessment (Was: Bank Assessment)"
- Next in thread: miguel.dilaj_at_pharma.novartis.com: "Re: SME risk assessment (Was: Bank Assessment)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: fergus@cobbled.net, pen-test@securityfocus.com Date: Mon, 26 Apr 2004 09:03:59 -0400
I work for a small business and couldn't disagree more. You're assuming
that small business = small profit = small amount of risk. This is not true
in many cases. The company that I work for is a multi-million dollar
company that stores a great deal of very sensitive information, and
therefore our risk is relatively high.
You also assume that because a company is small you only need to be equipped
with a strong understanding of that businesses processes to perform a risk
assessment. Again, I have to respectfully disagree. The size of a company
does not necessarily dictate the complexity of a risk assessment. My
company, again, is a prime example. We have many distinct divisions that
perform a vast array of functions. Applying a methodology is extremely
valuable in such situations to insure uniformity and to provide guidance to
the party(ies) doing the risk assessment.
While I agree that a strong understanding of the company's business
processes is extremely valuable, if not absolutely vital, I disagree that it
is the only issue or that applying a methodology has no value to small
businesses.
-- Jason E. High,RHCT,GSEC,MCP >From: fergus <fergus@cobbled.net> >To: pen-test@securityfocus.com >Subject: Re: SME risk assessment (Was: Bank Assessment) >Date: Fri, 23 Apr 2004 23:02:31 +0100 > >On 23.04-09:57, Amit Deshmukh wrote: >[ ... ] > > ... would anyone know of > > a simple risk assessment methodology that could be > > employed for small to medium businesses? > >the problem is not the methodology it is the >understanding. you need to understand the threat >and risk on a number of levels to make an >effective assessment. > >that is what you pay for at the end of the day; >experience and knowledge. > >for a simple example, it would be difficult to implement >a password policy if you do not understand the >relevant issues; that comes down to users, >distribution, environment, etc, etc. all these >things are logical and if you have the necessary >understanding then you do not need methodology - >not for small businesses. > >it's basically an issue of common sense (once you >can ably cover the issues). > >if you mean a vulnerability assessment or pen-test >then you are better (for the small business >sector) to simply use tools. nessus basically; it >will be adequate for the target. > >the problem is that small companies have low value >assets and most have very little relating to >information/computers. even the ones that should >know better (i.e. accountants and solicitors) are >ill able to afford and digest a detailed report. >they simply need a solution that puts them a >couple of levels higher than the next guy. > >to summarise - perceived risk is low and therefore >over investment in detailing actual risk is >difficult, costly and unpopular. > >-- >: fergus cameron : [ .] cobbled : >: ^^^^^^@cobbled.net : [ ~][ ] .net : > >------------------------------------------------------------------------------ >Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off >any course! All of our class sizes are guaranteed to be 10 students or less >to facilitate one-on-one interaction with one of our expert instructors. >Attend a course taught by an expert instructor with years of in-the-field >pen testing experience in our state of the art hacking lab. Master the >skills >of an Ethical Hacker to better assess the security of your organization. >Visit us at: >http://www.infosecinstitute.com/courses/ethical_hacking_training.html >------------------------------------------------------------------------------- > _________________________________________________________________ Is your PC infected? Get a FREE online computer virus scan from McAfeeŽ Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
- Previous message: Leewarner, Joshua (US - Seattle): "RE: Tools to test web services"
- Maybe in reply to: fergus: "Re: SME risk assessment (Was: Bank Assessment)"
- Next in thread: miguel.dilaj_at_pharma.novartis.com: "Re: SME risk assessment (Was: Bank Assessment)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
