[NBLUG/talk] acceptable risk

Kendall Shaw kshaw at kendallshaw.com
Wed Nov 20 11:53:51 PST 2013 

Thanks. I've only flipped through things. The article uses the words 
"acceptable risk" and elaborates some. There are several links that I 
hadn't seen before

On 11/20/2013 08:58 AM, Steve S. wrote:
> I've got my own project (simple graphics) where my Google-fu is proving weak.
>
> But I got some (hopefully-relevant) hits for you:
>
>     http://en.wikipedia.org/wiki/IT_risk_management
> (NB:  Wikipedia has an extremely-varied reputation.  Do *NOT* cite
> this to your company, unless you know they use Wikipedia as a resource
> (in some venues, citing Wikipedia destroys your credibility)!
> *HOWEVER* the "References" and "External Links" sections (at the end)
> are likely to be invaluable -- review THEM for your needs, and cite
> from THEM...)
>
> http://www.theiia.org/intAuditor/itaudit/archives/2007/may/understanding-the-risk-management-process/
> The author is Dir.IT for a risk-management consultancy.  The journal
> is "Internal Auditor," which is relevant but not precisely-targetted;
> the article is general (not IT-specific) risk-management, but the
> guy's (presumed) IT background SHOULD be useful...
>
> http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
> Source NIST.gov, so highly-reputable.
>
> I haven't read all 3 in detail.  Hopefully, they'll be useful...
>
> On Wed, Nov 20, 2013 at 8:46 AM, Kendall Shaw <kshaw at kendallshaw.com> wrote:
>> Thanks. Reading about PCI compliance seems like it might be helpful. I see
>> documentation about prioritizing plans for compliance which I think implies
>> considering acceptable levels of risk.
>>
>> Starting from zero, I can imagine listing some vulnerabilities and listing
>> costs involved with addressing the vulnerabilities. But, that is only one
>> step beyond this plan:
>>
>> problem -> solution
>>
>> An example of being too conservative would be to say that people may not
>> attach their computers to a network. Another extreme would be to say that
>> authentication wastes resources that could be spent on producing a product.
>>
>> Kendall
>>
>>
>> On 11/20/2013 08:25 AM, Aaron Grattafiori wrote:
>>
>> I am no standards expert, but I do work in security.
>>
>> Standards can help, it varies on the starting security level of the
>> environment. Sometimes people need certification and standards for reasons,
>> other times they need. PCI can be seen as an example. It isn't a silver
>> bullet (as nothing in security is) but does it help? You bet.
>>
>> ISO2700, as far as I remember, is more geared toward physical security and
>> access vs anything technical. Someone from Sonic could probably correct me,
>> although I doubt they've gone through the process for their datacenter.
>>
>> Assessing risk is a complex topic, and not a responsibly taken lightly if
>> those decisions (or lack of) are what provide the budget, people or time for
>> actual security.
>>
>> Hope that helps?
>>
>> -Aaron
>>
>> On Nov 20, 2013 8:13 AM, "Kendall Shaw" <kshaw at kendallshaw.com> wrote:
>>> Hi,
>>>
>>> If this is too far off topic, sorry. It is about network security and
>>> system administration, so it is kind of sort of about linux...
>>>
>>> I am employed as a computer programmer. Security polices are being
>>> developed where I work. It is not my job to deal with the issue, but it is
>>> going to affect my ability to do work. One major concern that I have is that
>>> it doesn't appear to me that people understand the concept that you can
>>> never be 100% secure.
>>>
>>> I would hope that a person tasked with establishing policies would include
>>> a plan for assessing acceptable risks by balancing competing factors like
>>> the need to be able to produce a product. Do you know of any articles or
>>> books that have concrete advice for developing a plan to assess acceptable
>>> levels of risk within an organization? Or, do you have any concrete advice
>>> that is general about the subject?
>>>
>>> In books about QA there are examples of the type of thing I have been
>>> hoping to find, where it describes an outline for designing a set of
>>> questions to apply to a given situation in order to devise a test plan.
>>>
>>> I usually fail to convey the idea that I am asking about a general
>>> practice, not what do I do right now about a particular situation. For
>>> example "How do I become a pilot" asks for advice about a practice. "How
>>> should I trap the gopher that is in my backyard" asks for advice about a
>>> particular situation.
>>>
>>> An example of concrete advice about a general subject is: the ISO 27001
>>> standard.
>>>
>>> Do you have any advice?
>>>
>>> Kendall
>>> _______________________________________________
>>> talk mailing list
>>> talk at nblug.org
>>> http://nblug.org/cgi-bin/mailman/listinfo/talk
>>
>>
>> _______________________________________________
>> talk mailing list
>> talk at nblug.org
>> http://nblug.org/cgi-bin/mailman/listinfo/talk
>>
>>
>>
>> --
>> Sorry, you must accept the license.
>>
>>
>> _______________________________________________
>> talk mailing list
>> talk at nblug.org
>> http://nblug.org/cgi-bin/mailman/listinfo/talk
>>
>
>


-- 
Sorry, you must accept the license.

More information about the talk mailing list