[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Computer Security Risk Assessment Software?



Frank Willoughby wrote:
> Methinks "Ross Wright" <[email protected]> wrote:
> >On or About 31 Oct 96 at 12:19, Dr.Dimitri Vulis KOTM wrote:
> >> which I assume is NOT what you have in mind :-) Do you mean
> >> something that'll take a survey of a company's computer security

> >Boom.  Nail, head, one shot!!!!  What's on the market now in that area?

> >> and assess the risk (like Stan) or something more global?

> >The issues are:
> >Information Risk Assessment and Management and also Information Security Assessment.

> >> AFAIK, there's no tool on the market to help in all aspects of risk management
> >> even for a small outfit, because there are so many sources of risk. There
> >> are many good specialized packages.

> I beg to disagree. Tools, like checklists, are ok as far as a memory jogger goes (to
> make sure that you haven't overlooked something) but there is no way they can replace
> an assessment or audit by a seasoned Information Security Officer or professional.
> ISOs have eyes, ears, fingers, and a mind. Tools don't.

[snip]

> The solutions to the above-mentioned problems are:
> Shop around.  Find out which consultants are qualified and what they charge.
> Make sure the consultant caps his cost.  You should know the maximum price tag
> associated with the consulting engagement BEFORE the consultant walks in the front
> door.  This helps to avoid having the consultant camp on your doorstep at $XXX
> dollars per hour for days, weeks, or months on end.

The above is a nice ideal.  You should of course get a "really good" consultant,
and even better, get one who's "real honest".  But my guess is those guys cost the
most of all, or at the very least, require the most research to find.

The ideal of capping the cost is commendable as well, however, when the consultant
finds midway through the project that his initial estimate (made as carefully as he
possibly can) is way too low, he will now have an incentive to lie, cut corners, etc.,
*particularly* if the customer looks like one of those antsy types who might withhold
payments and so on.

My advice:  Get a consultant to find a good IT consultant.  Seriously.