Ask the Expert

What types of software can help a company perform a security risk assessment?

We are looking to conduct an information systems risk assessment as part of one of the recommendations following a Sarbanes-Oxley review. What software is available to help a medium-sized company (1,000 employees, $1 billion in sales) perform an information security risk assessment?

    Requires Free Membership to View

There are a number of product categories you can use to do a risk assessment. But don't be fooled into thinking that a tool will be a panacea to keeping your SOX auditors happy.

First, look at vulnerability scanners that can test networks, systems and applications. These are usually three separate product categories, but since any of your systems can be compromised by any attack vector, you'll need all three in order to compile a comprehensive list of what is vulnerable.

You may also want to look at an automated penetration-testing product. There are both open source and commercial options available; these can take vulnerability scanners to the next level and help you determine not only what is vulnerable, but also what can be exploited.

Finally, consider some good old-fashioned elbow grease in your risk assessment as well, in the form of a penetration test performed by humans. This can help you understand both the physical and logical places where your networks and/or systems can be compromised. Software is still evolving and can't really evaluate all of the social engineering techniques that modern-day hackers employ.

So in a nutshell, it's a little more complicated than going down to Best Buy and buying a yellow (or green) box to fix your problems. You'll need to use a variety of tools, assemble and assimilate the results and figure out what is truly at risk. So your most effective software is going to be the OS running in your brain.

For more information:

  • In this SearchSecurity.com Q&A, Mike Rothman explains why and how all members of the senior security staff should be involved in the risk assesment process.
  • Learn how to properly react to a business partner's insider threat.
  • This was first published in October 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: