I would warmly recommend a tool for ISO 27001 automation that uses PTA - Practical Threat Analysis. What these folks have done is to write a generic library for performing an ISO 27001 assessment using the PTA Professional freeware. The framework is all there and you can build a real life threat model in about 15 minutes by adding your ownthreats and assets. The part I like about PTA is the optimized risk mitigation plan that recommends the most effective controls.
I concur - i've been using PTA - http://www.ptatechnologies.com for about 3 years in a wide variety of threat modeling missions from SOX IT audit to software security assessment like this -
ReplyDeletehttp://www.software.co.il/case-studies/66-risk-assessment-of-software-as-a-service.html
Also - I would comment that quantitative analysis is the only way for us to start speaking the same lingo as the CEO
A major data loss event like Hannaford Supermarkets (4M credit card records leaked…) is a black swan as described by Nassim Nicholas Taleb - it has three characteristics:
1. Appears as a complete surprise to the company
2. Has a major impact to the point of maiming or destroying the institution (note the case of Card Systems or Hannaford whipping out a check for $10M to IBM for a get out of jail free card)
3. Event, after it has appeared, is ‘explained’ by human hindsight.
Danny Lieberman
http://www.software.co.il Buggy software, risky software
Dear colleagues,
ReplyDeleteI would like to inform you that on February 2009 we released an updated version of PTA Professional Edition (1.60 - build 1208) with major usability improvements.
PTA – Practical Threat Analysis – is - a calculative threat modeling methodology and a risk assessment tool that assist security consultants and analysts in assessing the risks in their systems and building an appropriate risk mitigation policy. The role of a practical threat analysis process is to identify system vulnerabilities, map system assets, asses the risk of the threats and define an effective risk mitigation plan for a specific system architecture, functionality and configuration.
PTA is free-of-charge for students, researchers, software developers and independent security consultants. You are invited to review the latest version's new features and download a free copy of the software from the following link:
http://www.ptatechnologies.com
http://www.ptatechnologies.com
PTA fully supports the PCI DSS 1.1 and ISO 27001 standards as well as many useful security standards libraries which are available for free downloaded from the following url:
http://www.ptatechnologies.com/?action=documents
Feel free to introduce PTA to your professional colleagues - it is our contribution to the security community. I'll be happy to have your comments and answer your questions on any issue.
Regards,
Zeev Solomonik
R&D - PTA Technologies
http://www.ptatechnologies.com
zeev_at_ptatechnologies_dot_com
http://www.ptatechnologies.com
nice blog !! thanks for sharing the information about iso consultants . this blog is nice and interested to read.
ReplyDelete