|
The control directory is a summary of each technology security review document. Now, however, we start to add the risk and probability of the exposure actually occurring in your environment.
Following are some examples for messaging related issues:
Once you have the control directory filled out, you will need to chart the data in an environment risk table, which is actually composed of two tables: the impact table and the cost table, which is driven by the impact table.
After filling out the charts, you will analyze the results. In our example, you would do the following:
In Tables 9.5 and 9.6, look at the Recommend columns. Extract the information for each column that shows a YES. This is the data that you will use to determine a total security plan and a budget. The other items listed may provide some level of security, but may not be practical to implement.
Threat | Control | Potential of Occurrence | Cost | Recommend |
---|---|---|---|---|
2023 Data sent to external users | Train users | High | $10,000 | Yes |
4067 Ninjas break in on the 30th floor and force people to reveal their passwords | Army of Ninjas | Very Low | $1,000,000 | No |
3011 Hacking tool can grant admin access for any user | Upgrade O/S to service pack 9 | Medium | Under $1,000 (labor cost) | Yes |
Threat | Control | Potential of Occurrence | Cost | Recommend |
---|---|---|---|---|
A virus can damage messages | Install virus scanning software | High | $35,000 | Yes Includes hardware and software |
Messaging administrator can access and manipulate data content with owner of any mailbox | Administrator training and auditing | Medium | $3,000 | Yes |
Messages received from SMTP message systems may not reflect the true sender | Difficult to manage best control is to train users on how to receive encrypted and signed messages | High | Cost covered in other initiatives | Yes |
Mail Bomb Script e.g., Love Bug | Use virus scanning software, and incident handling and user training | High | Cost covered in other initiatives | Yes |
Impact Area | |||||
---|---|---|---|---|---|
Data Disclosure | Data Integrity Compromised | Loss of Customer Confidence | Impact Network | Messaging Impacts | |
High | Employees send sensitive messages to external customers without encryption | Hackers access and modify data on Server in DMZ | Credit card data stolen from site | DoS or DDoS attacks | Love Bug type script Bomb |
Medium | Employees give out password to other employees | Hackers are able to access and modify business data on the trusted network | Web site down for X% of SLA | Router is compromised by hacker | Mass Mail system not implemented |
Low | Backup tapes stolen and used externally | System backups are not tested, so restores are not valid | Web site down for Y % of SLA | Hacker is able to access trusted network | Nonbusiness use of messaging resources |
Data Disclosure | Data Integrity Compromised | Loss of Customer Confidence | Network Impact | Messaging Impacts | |
---|---|---|---|---|---|
High | $$$ | $$$ | $$$ | $$ | $$ |
Medium | $$ | $$$ | $$$ | $$ | $ |
Low | $$ | $$ | $ | $ | $ |
|