Re: SME risk assessment (Was: Bank Assessment)

From: fergus (fergus@cobbled.net)
Date: Mon Apr 26 2004 - 16:13:42 EDT

Next message: roberto unbaggi: "asp restriction configuration weaknesses"
Previous message: Anders Thulin: "Re: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket"
In reply to: miguel.dilaj@pharma.novartis.com: "Re: SME risk assessment (Was: Bank Assessment)"
Next in thread: Blake Wiedman: "RE: Bank Assessment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On 26.04-17:24, miguel.dilaj@pharma.novartis.com wrote:
[ ... ]
> The risk of being blamed for hacking activities, DoS, storing child porn,
> etc., have to be considered as well, and absolutely every individual and
> company out there is exposed to that if someone can compromise their
> systems. The publicity impact can be also very serious.
>
> I can perfectly understand your recent discussion if we don't take into
> account the above, and I tend to agree with you (if I understood you
> correctly). Both of you are partially right.

it's not an issue of correctness or methodology it
is a question of politics - or more specifically
perceived risk.

i run a small business for small businesses. it
includes security auditing (as well as other
services). if i produce a report that doesn't fit
on a stick-it note then it better be critical -
and more importantly - perceived as such; at least
by the end of a short discussion.
n.b: critical ~ make/save money

why? small business is _all_ about priorities. and
mainly short term priorities. other things are
basically overheads (of time, money and probably
both) to be avoided at all costs.
n.b: priorities ~ cash flow

if security fits on that list they're probably
selling it.

hey - i'm not saying this is universal, i'm just
saying don't jump in too deep. i've done it - it
will only get returns in very specific cases (of
which i've yet to come across).

good luck,

-- 
: fergus cameron                :   [ .]        cobbled    :
: ^^^^^^@cobbled.net            : [ ~][ ]             .net :
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

Next message: roberto unbaggi: "asp restriction configuration weaknesses"
Previous message: Anders Thulin: "Re: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket"
In reply to: miguel.dilaj@pharma.novartis.com: "Re: SME risk assessment (Was: Bank Assessment)"
Next in thread: Blake Wiedman: "RE: Bank Assessment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:53 EDT