| Javascript Feeds RSS Feed Security Dashboard | SearchSecurity.com |
|
Data-Centric Quantitative Computer Security Risk Assessment A quantitative risk assessment strategy is outlined with brief discussions of threat, risk categories and data classification. The differences between quantitative and qualitative assessments are specified with the conclusion that both methods have significant strengths and weaknesses. A quantitative method that spans both assessment types is then presented with rigorous analysis of impact of individual risk factors upon the overall risk to information. A method of easily organizing risk factors according to the quantitative method called a Risk Assessment Orgchart is explained and demonstrated. Careful manipulation of the method can make the analysis very sensitive to data classification and thus data-centric. A discussion on how to assign values to individual risk factors (scoring) should help users of the method be successful. Finally, a simple sample assessment is presented to tie all the analysis elements together and to further clarify the method.
03/24/2004
|
|
An Introduction to Information Risk Assessment An understanding of risk and the application of risk assessment methodology is essential to being able to efficiently and effectively create a secure computing environment. Unfortunately, this is still a challenging area for information professionals due to the rate of change in technology, the relatively recent advent and explosive growth of the Internet, and perhaps the prevalence of the attitude (or reality) that assessing risk and identifying return on investment is simply too hard to do. This has kept information systems and information systems security in the undesirable position of being unable to systematically identify and monetarily quantify security risks. This in turn has led to inconsistent and inappropriate applications of security solutions as well as either excessive or insufficient funding for such activities. Therefore this paper addresses the issue of risk with respect to modern information systems.
03/24/2004
|
|
Assessing Internet Security Risk, Part Five: Custom Web Applications Continued This article is the fifth and final in a series that is designed to help readers to assess the risk that their Internet-connected systems are exposed to. In the first installment, we established the reasons for doing a technical risk assessment. In the second article, we started to discuss the methodology that we follow in performing this kind of assessment. The third part discussed methodology in more detail, focussing on visibility and vulnerability scanning. The fourth installment discussed a relatively unexplored aspect of Internet security, custom Web applications. This article will conclude the discussion of security risks of Web applications.
03/22/2004
|
|
Assessing Internet Security Risk, Part Four: Custom Web Applications This article is the fourth in a series that is designed to help readers to assess the risk that their Internet-connected systems are exposed to. In the first installment, we established the reasons for doing a technical risk assessment. In the second article, we started to discuss the methodology that we follow in performing this kind of assessment. The third part discussed methodology in more detail, focussing on visibility and vulnerability scanning. This installment will discuss a relatively unexplored aspect of Internet security, custom Web applications.
03/22/2004
|
|
Assessing Internet Security Risk, Part Three: an Internet Assessment Methodology Continued This article is the third in a series that is designed to help readers to assess the risk that their Internet-connected systems are exposed to. In the first installment, we established the reasons for doing a technical risk assessment. In the second part, we started to discuss the methodology that we follow in performing this kind of assessment. In this installment, we will continue to discuss methodology, particularly visibility and vulnerability scanning.
03/22/2004
|
|
Assessing Internet Security Risk, Part One: What is Risk Assessment? This article is the first of a series that is designed to help readers to answer questions three and four in the context of Internet-connected systems: What are the threats that my Internet-connected systems face and what are the chances of those threats being realized. Over the next few weeks we will explore the thinking around Internet Security Assessments, not only why they are done, but also how they are done. By the end of this series you should understand how performing an Internet security assessment can contribute to an effective information security strategy, what you should expect from such an assessment and even how you could go about performing such an assessment yourself.
03/22/2004
|
|
Assessing Internet Security Risk, Part Two: an Internet Assessment Methodology This article is the second in a series that is designed to help readers to assess the risk that their Internet-connected systems are exposed to. In the first installment, we established the reasons for doing a technical risk assessment. In this installment, we'll start discussing the methodology that we follow in performing this kind of assessment.
03/02/2004
|
|
Introduction to the NSA Infosec Assessment Methodology (IAM) The NSA Infosec Assessment is conducted by a team of individuals who review the information system security posture of an organization to identify potential vulnerabilities and recommending steps for eliminating or mitigating those vulnerabilities. The IAM consists of 18 core subjects; however these may be modified to ensure the assessment addresses any organization specific elements.
Mitchell Rowton,
02/17/2004
|
|
Page: 12 3 |
