Every organization is unique in how it operates and maintains the confidentiality, integrity, and availability of its IT infrastructure and assets. The following are three basic approaches to conducting a risk and vulnerability assessment on an IT infrastructure and its assets:
Figure 4.2 depicts a top-down risk and vulnerability assessment approach. Top-down refers to an examination of the organization's business drivers and goals and objectives for conducting the risk assessment. This top-down risk and vulnerability assessment approach is dependent on documented organizational business drivers, goals, and objectives for the risk and vulnerability assessment, and an existing IT security architecture and framework or IT security policies, standards, procedures, and guidelines.
Figure 4.2. Top-down risk-assessment approach.
Figure 4.3 depicts a bottom-up risk-assessment approach. In many cases, organizations may not have the necessary documentation that the risk and vulnerability assessment can be compared to. In cases like this, conducting a bottom-up risk assessment is common. Prior to beginning the bottom-up risk assessment, the project usually requires the creation of business drivers, goals, and objectives of the risk assessment, and then the creation of an IT security architecture framework. This provides both a baseline definition for the IT infrastructure information security definition as well as the high-level policies, standards, procedures, and guidelines that are needed to implement proper security controls.
Figure 4.3. Bottom-up risk-assessment approach.
Figure 4.4 depicts a hybrid approach to risk management. In this case, both a top-down and bottom-up approach to risk management is conducted in parallel. This will assist in the gap analysis for the provided IT security architecture and framework and an assessment of what is really happening with the security controls and security countermeasures, as defined in the organization's policies, standards, procedures, and guidelines. The hybrid approach to risk management is typical for those organizations that have some IT security policies, standards, procedures, and guidelines, and some network configuration, network documentation, and IT asset inventory data.
Figure 4.4. Hybrid risk-assessment approach.
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template