[NBLUG/talk] acceptable risk

Steve S. northbaygeek at gmail.com
Wed Nov 20 08:58:30 PST 2013 

I've got my own project (simple graphics) where my Google-fu is proving weak.

But I got some (hopefully-relevant) hits for you:

   http://en.wikipedia.org/wiki/IT_risk_management
(NB:  Wikipedia has an extremely-varied reputation.  Do *NOT* cite
this to your company, unless you know they use Wikipedia as a resource
(in some venues, citing Wikipedia destroys your credibility)!
*HOWEVER* the "References" and "External Links" sections (at the end)
are likely to be invaluable -- review THEM for your needs, and cite
from THEM...)

http://www.theiia.org/intAuditor/itaudit/archives/2007/may/understanding-the-risk-management-process/
The author is Dir.IT for a risk-management consultancy.  The journal
is "Internal Auditor," which is relevant but not precisely-targetted;
the article is general (not IT-specific) risk-management, but the
guy's (presumed) IT background SHOULD be useful...

http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
Source NIST.gov, so highly-reputable.

I haven't read all 3 in detail.  Hopefully, they'll be useful...

On Wed, Nov 20, 2013 at 8:46 AM, Kendall Shaw <kshaw at kendallshaw.com> wrote:
> Thanks. Reading about PCI compliance seems like it might be helpful. I see
> documentation about prioritizing plans for compliance which I think implies
> considering acceptable levels of risk.
>
> Starting from zero, I can imagine listing some vulnerabilities and listing
> costs involved with addressing the vulnerabilities. But, that is only one
> step beyond this plan:
>
> problem -> solution
>
> An example of being too conservative would be to say that people may not
> attach their computers to a network. Another extreme would be to say that
> authentication wastes resources that could be spent on producing a product.
>
> Kendall
>
>
> On 11/20/2013 08:25 AM, Aaron Grattafiori wrote:
>
> I am no standards expert, but I do work in security.
>
> Standards can help, it varies on the starting security level of the
> environment. Sometimes people need certification and standards for reasons,
> other times they need. PCI can be seen as an example. It isn't a silver
> bullet (as nothing in security is) but does it help? You bet.
>
> ISO2700, as far as I remember, is more geared toward physical security and
> access vs anything technical. Someone from Sonic could probably correct me,
> although I doubt they've gone through the process for their datacenter.
>
> Assessing risk is a complex topic, and not a responsibly taken lightly if
> those decisions (or lack of) are what provide the budget, people or time for
> actual security.
>
> Hope that helps?
>
> -Aaron
>
> On Nov 20, 2013 8:13 AM, "Kendall Shaw" <kshaw at kendallshaw.com> wrote:
>>
>> Hi,
>>
>> If this is too far off topic, sorry. It is about network security and
>> system administration, so it is kind of sort of about linux...
>>
>> I am employed as a computer programmer. Security polices are being
>> developed where I work. It is not my job to deal with the issue, but it is
>> going to affect my ability to do work. One major concern that I have is that
>> it doesn't appear to me that people understand the concept that you can
>> never be 100% secure.
>>
>> I would hope that a person tasked with establishing policies would include
>> a plan for assessing acceptable risks by balancing competing factors like
>> the need to be able to produce a product. Do you know of any articles or
>> books that have concrete advice for developing a plan to assess acceptable
>> levels of risk within an organization? Or, do you have any concrete advice
>> that is general about the subject?
>>
>> In books about QA there are examples of the type of thing I have been
>> hoping to find, where it describes an outline for designing a set of
>> questions to apply to a given situation in order to devise a test plan.
>>
>> I usually fail to convey the idea that I am asking about a general
>> practice, not what do I do right now about a particular situation. For
>> example "How do I become a pilot" asks for advice about a practice. "How
>> should I trap the gopher that is in my backyard" asks for advice about a
>> particular situation.
>>
>> An example of concrete advice about a general subject is: the ISO 27001
>> standard.
>>
>> Do you have any advice?
>>
>> Kendall
>> _______________________________________________
>> talk mailing list
>> talk at nblug.org
>> http://nblug.org/cgi-bin/mailman/listinfo/talk
>
>
>
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk
>
>
>
> --
> Sorry, you must accept the license.
>
>
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk
>



-- 
"When I became a man I put away childish things, including the fear of
childishness and the desire to be very grown up."      -CS Lewis

More information about the talk mailing list