Wednesday, July 23, 2008

Security Risk Analysis Basics For Solution Providers

I saw an interesting article this morning by Steve Bigelow from searchsecuritychannel.com. Although his article is entitled Security Risk Analysis Basics for Solution Providers, it does a good job articulating why it is important for the client to understand the reality of threats, both from inside and outside the organization.

Steve does a good job pointing out the differences between a risk and a threat, and why they need to be evaluated independently in the context of a company's overall security strategy.

The first and last paragraphs really say it all - "No matter how much effort and resources go into securing IT infrastructures, businesses still face a wide range of risks as a result of threats and vulnerabilities like configuration errors, intrusions, viruses and even employees themselves. Corporations are rarely skilled or objective enough to perform thorough evaluations of their own security strategies, so solution providers can step in to perform a security risk analysis -- a detailed investigation that examines every aspect of the client's security posture, identifying weaknesses and recommending corrective actions."

"Security risk analyses are rarely one-time endeavors. The results of periodic analysis can often be used as waypoints that help an organization maintain a proper security posture in the face of changing threats, technologies and corporate cultures......."

Click on the title to see the full article.


No comments: