Re: [fw-wiz] Help With Risk Assessment

> I am looking for guidance on creating a matrix for a IT risk assessment.[color=blue]
> I am using the methdology from NIST SP 800-30 and am looking for specific[/color]
line items to add to the matrix. Any help or[color=blue]
> pointers you can provide are appreciated in advance. While looking for[/color]
something complete I am not necessarily looking[color=blue]
> for exhaustive (but can pare that down if need be).[/color]

I think this is a little off-topic for fw-wiz, but I know it's hard to find
lists to ask these questions to. I defer to Paul as to whether or not he
wants to let the thread keep going.

If I were doing 800-30 and had a good inventory of systems and functions,
but not a good idea of what the potential vulnerabilities were, I might take
a look at something like the OCTAVE Catalog of Practices [1] (I don't know
if NIST has something like this for 800-30, but OCTAVE and 800-30 are
similar in that they are both risk assessment methodologies.) and work
backwards from the applicable practices. Essentially you're doing a gap
analysis of your practices as a first step to the vulnerability analysis.
It wouldn't be perfect, but it's much easier to put into survey form and
collect data for.

Hope that helps!

PaulM

[1] [url]http://www.cert.org/archive/pdf/01tr020.pdf[/url]


_______________________________________________
firewall-wizards mailing list
[email]firewall-wizards@listserv.icsalabs.com[/email]
[url]https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards[/url]