Viagra for sale What framework would you use to provide for quantitative or qualitative risk analysis at both the micro and macro level? I'm asking about a true risk assessment framework not merely a checklist.
Viagra for sale
Yes, viagra for sale this is a bit of a META-Question. Viagra for sale But then its Sunday, viagra for sale a day for contemplation.
Viagra for sale When does something like these stop being a check-list and become a framework?
Viagra for sale COBIT is very clearly a framework, viagra for sale but not for risk analysis and even the section on risk analysis fits in to a business model rather than a technology model.
Viagra for sale ISO-27K is arguably more technology (or at least InfoSec) focused that COBIT, viagra for sale but again risk analysis is only part of what its about. Viagra for sale ISO-27K calls itself a standard but in reality its a framework.
Viagra for sale The message that these two frameworks send about risk analysis is
Viagra for sale Context is Everything
Viagra for sale (You expected me to say that, viagra for sale didn't you?)
Viagra for sale I'm not sure any RA method works at layer 8 or above. Viagra for sale We all know that managers can read our reports and recommendations and ignore them. Viagra for sale Or perhaps not read them, viagra for sale since being aware of the risk makes them liable.
Viagra for sale Ah. Viagra for sale Good point.
On LinkedIn there was a thread asking why banks seem to ignore risk analysis .. Viagra for sale presumably because their doing so has brought us to the international financial crisis we're in (though I don't think its that simple).
Viagra for sale The trouble is that RA is a bit of a 'hypothetical' exercise.
And the other side of the trouble is that the non-hypothetical alternative seems to be the sort of statistical modelling that Alex Hutton and Pete Lindstrom advocate, viagra for sale and my own background in statistics from having worked at an insurance company gives me no confidence it the applicability of those methods in a rapidly changing field like InfoSec.
Viagra for sale "Methodology" I like; "Model" I'm wary of. Viagra for sale I've seen too many RAs that are excellent paper models and have no correspondence to what was actually faced.
Viagra for sale Case in point for a government project I worked on. Viagra for sale The RA was for the operation of the final deliverable with the firewall installed and configured and the switch installed and all the VLANs configured.
Viagra for sale The reality was as the system was being built the firewall was turned off and the switch was run as a hub - flat - so exposing everything to the internet. Viagra for sale There was no DNS or DHCP or YP/NIS or LDAP set up so all addresses were hard coded and hard coded into the software as well. Viagra for sale The end result was that it was impossible to create the subnets that the final design required and which had been part of the model the RA assumed.
Viagra for sale This RA was done by a supposedly experienced TLA "Big Name".
Viagra for sale Now I realize that a RA for the 'build' could have been done but this Big Name Firm didn't. Viagra for sale The project managers did not do a "project-in-progress" RA; and this was a government project, viagra for sale so you'd expect serious and experienced and wary PMs. Viagra for sale But no.
Viagra for sale I've commented many times on the gap between the Verb and the Noun in the way things work and the way people do things. Viagra for sale This is another example. Viagra for sale No matter the good of RA as a model of how things should be done (the 'Noun'), viagra for sale the doing (the 'Verb') always seems to leave a lot to be desired.
Viagra for sale It is for this reason I put a lot of emphasis on Incident Response and the necessary monitoring and logging, viagra for sale on DR plans and exercises and training for both.
Viagra for sale The real world people who have to deal with matters like this, viagra for sale the military, viagra for sale firemen, viagra for sale airport safety crews and the like, viagra for sale construct scenarios and model how to respond, viagra for sale and then carry out exercises and run 'post-mortems' that examine how effective their planning and training was.
Viagra for sale How does out profession compare with that?
Viagra for sale
Viagra for sale  If you want to see a real standard, viagra for sale look how something like the
Whitworth screw thread standard is defined.
vering them up.
- Final results of COSO vs ISO risk management survey (normanmarks.wordpress.com)
- GRC Framework - Stable Stakes for Good Management (infocus.emc.com)
- Are We Risk Averse or Risk Ignorant? (socialfish.org)
- Choosing the Risk Framework with the Best Fit (ossie-group.org)
- ISACA refreshes best practices for IT shops (techworld.com.au)
- What executives should know, viagra for sale but often don't, viagra for sale about risk management (normanmarks.wordpress.com)
- About ISO 27001 Risk Statement and Controls (infosecblog.antonaylward.com)
- COSO ERM or ISO 31000? Which is better? (normanmarks.wordpress.com)
- The piece COSO and ISO forgot (normanmarks.wordpress.com)
- Study on Software Risk Identification and Analysis by Graph Mining (gufranahmad.wordpress.com)