Re: Security Grade

From: Ed Fuller (ed@securityhorizon.com)
Date: Mon Dec 10 2007 - 20:37:32 EST


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you are looking for a good way to score the results, I recommend
(with bias) the NSA IEM. It is flexible for any organization and can be
used no matter the scope. It is also a great mechanism for scoring
findings from all three areas, Management, Operational, and Technical.

                        Ed Fuller, CISSP, IEM, IAM
COO/Principal ed@securityhorizon.com
Phone: 719-488-4500 http://www.securityhorizon.com
FAX: 719-268-1709 Copyright 2007
Cell: 719-659-8195
                           Security Horizon, Inc
                "Your global information security experts"

JD Lampard wrote:
> A points system is what I use... 0 (worst) - 10
> (best). Then a overall percentage is given which
> helps people put the score into perspective easily.
> However, this can also be misleading... let's say test
> by test you get 10 except for a couple tests for
> router, firewall, and IDS for which you get very bad
> scores. Looking at the overall score gives a false
> sense of security to the casual reporter reader.
>
> Hope this helps.
>
> --- 11ack3r <11ack3r@gmail.com> wrote:
>
>> Hi,
>>
>> Is there a security criteria or matrix against which
>> we could grade
>> customer's pen test results? Like assigning them
>> grade between A to E
>> or 1 to 10.
>>
>> *.*
>>
>>
> ------------------------------------------------------------------------
>> This list is sponsored by: Cenzic
>>
>> Need to secure your web apps NOW?
>> Cenzic finds more, "real" vulnerabilities fast.
>> Click to try it, buy it or download a solution FREE
>> today!
>>
>> http://www.cenzic.com/downloads
>>
> ------------------------------------------------------------------------
>>
>
>
>
> ____________________________________________________________________________________
> Be a better friend, newshound, and
> know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHXencg99bUKUEkroRAvObAJ9II/VtRlNYVCLPT7wKdHUPVCmr8QCg8EuU
JyJlpqGAgl1EksWq23Gq6/I=
=fnF9
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:14 EDT