Firewall Wizards mailing list archives

Re: tunnel vs open a hole

From: Duncan Sharp <drsharp () pacbell net>
Date: Wed, 16 Apr 2003 16:36:13 -0700

George Capehart wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 10 April 2003 09:24 pm, Duncan Sharp wrote:


<snip>  (I'm re-trying the reply to Duncan, the first time didn't make
it through.  He has raised some questions/issues that I think deserve
to be addressed . . .)


All;

    I too are still unsure of the true meaning of the following,
which was extracted (by my earlier posting) from COBIT FAQ section.

    In trying to better understand Risk, COBIT eliminated "Risk
Statements" from
    its Control Objectives in favor of "the pro-active approach
(objects are to be
    achieved) over the reactive approach (risks are to be
mitigated)".


I'm not sure that I understand what this statement means.


I have since downloaded more the documents from the site, to
include the Control, overview and framework.

The documents I had read from COBIT's site prior to downloading the
"Standards" were from Procedures of IS Auditing:
    "IS Risk ASSESSMENT Measurement"

I can address
the segment: "eliminated 'Risk Statements' from its Control
Objectives," though.  In COBIT, 3rd Edition, High-level Control
Objective PO9 is:  Assess Risks.  Under this high-level objective there
are eight detailed objectives:

1. Business Risk Assessment
2. Risk Assessment Approach


This is the only section of PO9 that mentions security (Security
specialists identify
threats) and IT specialists (IT specialists identify control selection).
Management
leads this effort by setting the scope/framework, help identify
vulneabilites, and
lead the identification of the risk mitigation solution.


3. Risk Identification


    Further defines item 2 above, and defines essential risk elements as:
    [in]tangible assets, asset value, threats, vulnenabilities, safeguards,

    consequences, and likelihood of threat.  Now again further defines
    item 2 to include such areas as legal, business,humanresources risks,
    and so on. Defines management as the lead here.


4. Risk Measurement


    This item only states that either a qualitative or quantitative result
    come from the risk identification information asset. Identifies
management
    as the lead here again.


5. Risk Action Plan


    The Risk Action Plan makes suggests identifying actions as avoidance,
mitigation, acceptance.


6. Risk Acceptance


7. Safeguard Selection
8. Risk Assessment Commitment



(from the COBIT 3rd Edition Control Objectives, July 2000)

And in the 3rd Edition Audit Guidelines there is a whole section on
evaluating how well those objectives are met.  Some of the things that
are looked at/for are:


These are from the "High Level Control Objective" for "Assessing Risks"
    "And takes into consideration"


 - risk management ownership and accountability
 - different kinds of IT risks (technology, security, continuity,
   regulatory, etc.)
 - defined and communicated risk tolerance profile
 - root cause analyses and risk brainstorming sessions
 - quantitative and/or qualitative risk measurement
 - risk action plan
 - timely reassessment

So there are some "Risk Statements" left . . . and, IMHO, they do a
reasonable job of evaluating the risk management process.


    Yes, I agree there are "Risk Statements" left.

    But what appears to be been done is to avoid specifying any particular
    security risk/threat/vulnerability as a risk item (or a risk to be
mitigated).
    But rather allow identified security  (or other types of)  threats to
be
    identified in terms of a business risk.

    Or what the FAQ on "pro-active" risk statement meant is the section
    "Delivery and Support" (5) subsection  "Ensure Systems Security" 5.1 to
5.21 .
    Which are objectives for IT security to implement and/or control.

Thank you for your post otherwise I would not have looked at all the
documents
at the site.

Yours,
Duncan



BR
- --
George Capehart

PGP Key ID 63F0F642 at http://pgp.mit.edu

"Excuse of the day:  We're on Token Ring, and it looks like the
 token got loose."  -- BOfH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+meg5Yxuy9mPw9kIRArOuAJsHuNw3bAoQLglJvThrRJ/u/Um6agCdEK65
rV2kG3rWnaNvAknwLi0q1xU=
=tlqY
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: tunnel vs open a hole, (continued)
- - - Re: tunnel vs open a hole Dave Piscitello (Apr 10)
    - Re: tunnel vs open a hole Adam Shostack (Apr 09)
    - Re: tunnel vs open a hole Mike Frantzen (Apr 10)
    - Re: tunnel vs open a hole R. DuFresne (Apr 10)
    - Re: tunnel vs open a hole George Capehart (Apr 10)
    - Re: tunnel vs open a hole Joseph S D Yao (Apr 10)
    - Re: tunnel vs open a hole George Capehart (Apr 10)
    - Re: tunnel vs open a hole Duncan Sharp (Apr 10)
    - Re: tunnel vs open a hole George Capehart (Apr 14)
    - Re: tunnel vs open a hole Duncan Sharp (Apr 14)
    - Re: tunnel vs open a hole Duncan Sharp (Apr 16)
    - Re: tunnel vs open a hole Magosányi Árpád (Apr 11)
    - Re: tunnel vs open a hole Gary Flynn (Apr 10)
    - Re: tunnel vs open a hole Paul Robertson (Apr 10)
    - Re: tunnel vs open a hole Paul Robertson (Apr 10)
    - Re: tunnel vs open a hole George Capehart (Apr 14)
- RE: tunnel vs open a hole Carroll, Shawn (Apr 10)
- RE: tunnel vs open a hole Carroll, Shawn (Apr 10)
  - Re: tunnel vs open a hole George Capehart (Apr 10)
    - Re: tunnel vs open a hole Marcus J. Ranum (Apr 10)
    - Re: tunnel vs open a hole Crispin Cowan (Apr 10)

(Thread continues...)