Greg et al,
To provide my .02 worth
One could present an Executive summary of the overall security assessment
results which can be presented and distributed to key management at your
particular client in a clear and concise fashion. This executive summary
would describe at a high level the significance of the information that
your team was able to obtain, if any, and would "benchmark" your client's
overall security environment against other organizations having similar
technology and information protection concerns. In addition, you could
evaluate the data security environment and present the effectiveness with
which you are addressing the following:
Enticement Level of information provided to a potential hacker (e.g.,
letting an unauthorized user know that a computer of a major enterprise has
Prevention Level of security measures used to prevent unauthorized access
(e.g., dial back, access control software).
Detection Level of active security monitoring and follow-up of unauthorized
access attempts (e.g., review of unauthorized access reports).
The second half of your report could provide detailed explanations of the
security implications and risks of the exposures found related to the
security assessment. Covering the following:
The finding or weakness noted;
The implication of the finding or weakness;
The level of risk the finding or weakness poses the organization;
The level of effort required (resources) to correct or minimize the
identified finding or weakness
A detailed solution to correct or minimize the identified finding or weakness.
At 06:27 PM 2/21/98 -0500, Craig I. Hagan wrote:
>I think that the real question might be the political need
>for not being harsh: by being blunt, the audit could
>be putting the instigators of the audit's jobs at
>risk whereas by using similar (but less threatening language),
>one might be able to present the information in a manner more
>politically palettable to the rest of the company.
>for example, instead of stating that the unix machine is
>wide open to hackers, one might instead recommend bringing
>internet mail server software up to the latest revision
>so as to mimimize risk. says roughly the same thing,
>but in a more passive tone.
"Let's Play, GLOBAL THERMO NUCLEAR WAR"