This is a discussion on Re: [fw-wiz] Help With Risk Assessment - Firewalls ; This is a bit off topic you might want to try to look at NIST 800-53 rev 2 and fips 200, particularly the appendices of 800-53. On Wed, May 7, 2008 at 1:31 PM, Paul Melson wrote: > > I ...
This is a bit off topic you might want to try to look at NIST 800-53
rev 2 and fips 200, particularly the appendices of 800-53.
On Wed, May 7, 2008 at 1:31 PM, Paul Melson
> > I am looking for guidance on creating a matrix for a IT risk assessment.
> > I am using the methdology from NIST SP 800-30 and am looking for specific
> line items to add to the matrix. Any help or
> > pointers you can provide are appreciated in advance. While looking for
> something complete I am not necessarily looking
> > for exhaustive (but can pare that down if need be).
> I think this is a little off-topic for fw-wiz, but I know it's hard to find
> lists to ask these questions to. I defer to Paul as to whether or not he
> wants to let the thread keep going.
> If I were doing 800-30 and had a good inventory of systems and functions,
> but not a good idea of what the potential vulnerabilities were, I might take
> a look at something like the OCTAVE Catalog of Practices  (I don't know
> if NIST has something like this for 800-30, but OCTAVE and 800-30 are
> similar in that they are both risk assessment methodologies.) and work
> backwards from the applicable practices. Essentially you're doing a gap
> analysis of your practices as a first step to the vulnerability analysis.
> It wouldn't be perfect, but it's much easier to put into survey form and
> collect data for.
> Hope that helps!
>  http://www.cert.org/archive/pdf/01tr020.pdf
> firewall-wizards mailing list
firewall-wizards mailing list