Speaking of risk assessment, my company is looking for qualification statements from consultants prepared to do a thorough risk assessment of the computing practices of an international environmental consulting company. Does anybody have any leads to this sort of consultant or (more importantly) recommendations for a particular consultant? Your help would be most appreciated. On Tue, 30 Jan 1996, Ira S. Winkler wrote: > When you conduct a thorough risk assessment, you have to look at the threats > and vulnerabilities by default. I tend to believe that vulnerabilities are > more important to consider than threats, in most cases, because threats would > be irrelevant if there are no vulnerabilities. It is true that vulnerabilities > would be irrelevant without threats, but if you have anything of value than > there will be a threat. > > The big question becomes how much money do you want to put towards > countermeasures, which is dependent upon the value of your information and > the value of the services dependent upon your information resources. > > Ira > > [Quoted Article Deleted]