Risk Assessment

 < Day Day Up > 

Before you start on the security policy document, you need to perform a risk assessment to help all parties understand the cost of losing something, what it actually is they have to lose, and how they can lose it. For example, what is the risk should your building experience total power failure? How much will it cost the company if it is effectively shut down for an extended period of time? This is what your risk assessment helps to flush out. What if your ISP cuts off your service because of spamming and hacking attacks coming from your IP address? How long can you be without Internet access as a company, and how much will it cost? Following are three main points you should always be thinking about when creating your policy:

  • What are the assets that need protection?

  • What threats do they face?

  • What is the cost of protecting them?

Assets

The first part of your risk assessment is to identify the assets that need protection. Assets are anything from physical computers, digital information, building security, and even intellectual property. All of these require some form of protection. Whether it is from a fire burning down the building or information being placed in the wrong hands, it could cost the company a substantial amount of money or embarrassment. Table A-1 lists basic items about which you should gather information as it pertains to your category of security policy.

Table A-1. Basic Asset Information for a Security Policy

Asset Category

Description

Hardware

Computers/laptops

Servers, routers, switches

Printers, copiers

Software

Operating systems

Source code

Data

Databases

Archive tapes

Transmitted information on the network

Intellectual property

People

Administrators

Users


Threats

The second part of risk assessment details the possible threats to these assets. To be realistic, this list will never be totally complete, but listing as much as possible can only help when planning for costs. Table A-2 lists some possible threats to your business.

Table A-2. Possible Security Threats

Threat Category

Description

Human

Cracker

Hacker

Disgruntled worker

Untrained employee

Terrorist

Denial of service

Equipment

Power failure

Hardware failure

Natural

Storm

Fire

Flood

Earthquake

Lightning

Meteor strike


Cost

Last but not least is calculating the cost of protecting your assets. Business decisions always weigh heavily on costs. If it costs more to protect something than it is actually worth, you should seek an alternative method or solution or just not protect it. Table A-3 lists some different costs associated with company assets.

Table A-3. Asset Protection Costs

Asset

Cost

Computer

Hardware

Software

Installation and configuration

Data

Database data

Power failure

UPS

Generator

Building

Replacement and repair

Personnel

Downtime

Recruitment

Training time

Employee benefits


Getting Acceptance

After you have gathered all the risk assessment information, the next step is to present that data to the appropriate department heads. Getting managers from several different areas such as help desk, accounting, research, engineering, and human resources to place their input into the policy and sign off on it is critical to the successful implementation of the policy. People usually overlook this basic step, and the result is a new security policy that no one had input into. When this happens, managers do not rightfully enforce the policy onto their own departments. To prevent that from happening, get managers involved, get them excited about security, and let them know that their opinion is important. Security is their friend, not their enemy. Help people understand that having and following documented policies and procedures makes their jobs easier. They will no longer be out on a limb when refusing a request from a senior member of staff to reuse a password, because they can refer to the policy in support of their argument. When a company adopts this method of community policy building, everyone feels he has helped to contribute to the new security policy, which facilitates department acceptance and enforcement.

     < Day Day Up > 


    Penetration Testing and Network Defense
    Penetration Testing and Network Defense
    ISBN: 1587052083
    EAN: 2147483647
    Year: 2005
    Pages: 209

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net