Audit and Compliance

Table of contents:

Key Terms

The following acronyms and terms are used in this chapter. For the explanation and definition purpose of this chapter, these acronyms and terms are defined as follows:

Access creep

The result of employees moving from one position to another within an organization without losing the privileges of the old position but gaining the additional access of the new position. Thus, over time, the employee builds up much more access than he or she should have.

 

ACL

A table or list stored by a router to control access to and from a network by helping the device determine whether to forward or drop packets that are entering or exiting it.

 

Base64

A coding process that is used to encode data in some email applications. Because it is not true encryption, it is easily cracked.

 

DMZ

The middle ground between a trusted internal network and an untrusted, external network. Services that internal and external users must use are typically placed there, such as HTTP.

 

Gap analysis

The analysis of the differences between two different states, often for the purpose of determining how to get from point A to point B; thus, the aim is to look at ways to bridge the gap.

 

Impact

Best defined as an attempt to identify the extent of the consequences should a given event occur.

 

IPSec

Short for IP Security, an extended IP protocol that enables secure data transfer. It provides services similar to SSL/TLS.

 

Methodology

A set of documented procedures used for performing activities in a consistent, accountable, and repeatable manner.

 

Policy control

An analysis of the current state of the organization's policies.

 

Probability

The likelihood of an event happening.

 

Raw risk

The result of a formula used to calculate risk and vulnerability. IT is calculated as follows: Probability * Impact = Raw Risk.

 

Risk score

A way to analyze raw risk. It is calculated by multiplying probability by impact.

 

SCORE (Security Consensus Operational Readiness Evaluation)

A broad-based project that has developed minimum standards and best practice information that has been benchmarked for general use by industry at large.

 

Total risk score

A way to analyze total risk. It is calculated by multiplying the raw risk score by the level of control.

 


Introduction to Assessing Network Vulnerabilities

Foundations and Principles of Security

Why Risk Assessment

Risk-Assessment Methodologies

Scoping the Project

Understanding the Attacker

Performing the Assessment

Tools Used for Assessments and Evaluations

Preparing the Final Report

Post-Assessment Activities

Appendix A. Security Assessment Resources

Appendix B. Security Assessment Forms

Appendix C. Security Assessment Sample Report

Appendix D. Dealing with Consultants and Outside Vendors

Appendix E. SIRT Team Report Format Template



Inside Network Security Assessment. Guarding your IT Infrastructure
Inside Network Security Assessment: Guarding Your IT Infrastructure
ISBN: 0672328097
EAN: 2147483647
Year: 2003
Pages: 138

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net