
	Home > Ask the Security Experts > Expert Archive: Security Management Questions & Answers > What types of software can help a company perform a security risk assessment?

Ask The Security Expert: Questions & Answers

EMAIL THIS

What types of software can help a company perform a security risk assessment?

EXPERT RESPONSE FROM: Mike Rothman, past SearchSecurity.com expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 07 August 2007
We are looking to conduct an information systems risk assessment as part of one of the recommendations following a Sarbanes-Oxley review. What software is available to help a medium-sized company (1,000 employees, $1 billion in sales) perform an information security risk assessment?

BROWSE BY TAG

Expert Archive: Security Management, Security Audit, Compliance and Standards, Sarbanes-Oxley Act, Enterprise Risk Management: Metrics and Assessments, Information Security Management, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Expert Archive: Security Management
	What is the GISP certification and how does it compare to the CISSP certification?
	Using a QSA to write up a PCI DSS report on compliance (ROC)
	How can gap analysis be applied to the security SDLC?
	Comparing cheap security products and appliances to costly appliances
	What are some tips on protecting my security budget in a poor economy?
	What value do research firms provide to their subscribing enterprises?
	What certificate offers the best ROI for an IT project manager?
	Is insider activity or outsider activity a bigger enterprise threat?
	How does information security prevent fraud in the enterprise?
	Differences between an SAS 70 data center and a Tier III data center

Sarbanes-Oxley Act

SOX compliance burdens midmarket security teams

Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management

Information security book excerpts and reviews

Internal audits for Sarbanes Oxley and internal IT support

Internal auditors and CISOs mitigate similar risks

Implement security and compliance in a risk management context

Does password sharing in international branches violate SOX?

Consensus Controls project aims to set benchmarks for compliance

Security visualization helps make log files work

The Little Black Book of Computer Security, 2nd Edition

Sarbanes-Oxley Act Research

Enterprise Risk Management: Metrics and Assessments

How to justify information security spending on cloud computing

Layoffs prompt insider threat fears, cybersecurity survey finds

How to avoid Internet liability lawsuits

Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way

Bernie Rominski: Communicate Effectively with Management about Risk

Best Policy and Risk Management Products

Monitoring program data and internal controls for risk management

Risk management strategy for an information technology solution provider

Align your data protection efforts with GRC

The basics of enterprise GRC project management

Enterprise Risk Management: Metrics and Assessments Research

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

There are a number of product categories you can use to do a risk assessment. But don't be fooled into thinking that a tool will be a panacea to keeping your SOX auditors happy.

First, look at vulnerability scanners that can test networks, systems and applications. These are usually three separate product categories, but since any of your systems can be compromised by any attack vector, you'll need all three in order to compile a comprehensive list of what is vulnerable.

You may also want to look at an automated penetration-testing product. There are both open source and commercial options available; these can take vulnerability scanners to the next level and help you determine not only what is vulnerable, but also what can be exploited.

Finally, consider some good old-fashioned elbow grease in your risk assessment as well, in the form of a penetration test performed by humans. This can help you understand both the physical and logical places where your networks and/or systems can be compromised. Software is still evolving and can't really evaluate all of the social engineering techniques that modern-day hackers employ.

So in a nutshell, it's a little more complicated than going down to Best Buy and buying a yellow (or green) box to fix your problems. You'll need to use a variety of tools, assemble and assimilate the results and figure out what is truly at risk. So your most effective software is going to be the OS running in your brain.

For more information:

In this SearchSecurity.com Q&A, Mike Rothman explains why and how all members of the senior security staff should be involved in the risk assesment process.

Learn how to properly react to a business partner's insider threat.

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy