The Information System Security Assessment Framework (ISSAF) is a peer reviewed structured framework that categorizes information system security assessment into various domains & details specific evaluation or testing criteria for each of these domains. It aims to provide field inputs on security assessment that reflect real life scenarios. ISSAF should primarily be used to fulfill an organization's security assessment requirements and may additionally be used as a reference for meeting other information security needs. ISSAF includes the crucial facet of security processes and, their assessment and hardening to get a complete picture of the vulnerabilities that might exists.
...



http://www.oissg.org/issaf

__________________
Jeremy Martin
Information Security consultant
www.infosecwriter.com


"Real programmers use copy con program.exe"

Report this post to a moderator

HI, Jeremy! Are you trying to recruit for the security field?

That's my field of interest, I'm trying to lay the groundwork for it with a good understanding of systems fundamentals. I see you have a lot of security credentials. Give me some feedback on the state of the security field:

Is it, in general and in your opinion, understaffed, overstaffed, or just about adequatealy staffed?

As we see proliferating threats, will there be adequate and adequately trained personnel to handle the threats and educate users?

Are end users still the biggest vulnerability to system security, or is that honor now in the hands of the crackers?

Is this a field that will grow steadily with regard to budgets, or are companies becoming security-complacent?

Same question, but with regard to personnel, or will we see a glut?

__________________
still here...

Report this post to a moderator

quote:

---

HI, Jeremy! Are you trying to recruit for the security field?

---

Na, just for the ISSAF. It's agood group of people and the more that comtribute to the paper, the better quality it will become.

quote:

---

Is it, in general and in your opinion, understaffed, overstaffed, or just about adequatealy staffed?

---

Understaffed and misunderstood. Most small shop feel that security is the job of the admin or tech.

quote:

---

As we see proliferating threats, will there be adequate and adequately trained personnel to handle the threats and educate users?

---

There are a lot of great things on the horizon that will help with this issue. Just need to keep in mind that InfoSec changes faster then the regular tech industry, so training always needs to be kept upto date. Even if it is in the form of free webcasts from SANS and Microsoft. As far as "adequately trained personnel", I never seeing that is realistic because most companies do not see the value in it unless the are forced by regulations like SOX and HIPAA

quote:

---

Are end users still the biggest vulnerability to system security, or is that honor now in the hands of the crackers?

---

End users will always be the biggest threat. Reminds me of a great shirt on Jinx. "Because there is no patch for human stupidity" - http://www.jinx.com/scripts/details...&productID=122.
Statistics show criminal hacking the lowest in 5 years.

quote:

---

Is this a field that will grow steadily with regard to budgets, or are companies becoming security-complacent?

---

It will grow. There are laws to enforce now.

quote:

---

Same question, but with regard to personnel, or will we see a glut? [/B]

---

It will probably be filled to the brim with people in a couple years. Every "hot" profession goes through that phase. Then the weak start to get weeded out after the demand dies. Unfortunately, so does the pay.

__________________
Jeremy Martin
Information Security consultant
www.infosecwriter.com


"Real programmers use copy con program.exe"

Report this post to a moderator