At this point in the project, you should take a moment to thank everyone who has been involved. It is important that all members of the team go their separate ways feeling as positive as possible, knowing that they helped contribute to the bettering of the overall security of the organization. It may be appropriate to hold a final meeting at which you thank everyone for their contributions and express enthusiasm that they all played a part in building a more secure organization. Based on the findings, some of these same individuals may be involved in implementing controls to improve security.
Finally, don't forget that trade-offs must sometimes be made between business objectives and security. Your job here is to make recommendations. Management is ultimately responsible for determining what is right. These trade-offs may not always be resolved in favor of security; management must make the decision to accept risk. For example, your findings might indicate that e-commerce activities put the organization at a greater risk of attack or denial-of-service. However, this may be weighed against data that indicates the organization may have a 60% growth in profit by doing business over the Web. Therefore, management may decide to accept the risk because there is such a high potential for added growth and revenue. In the end, there is always a trade-off between security and usability, as shown in Figure 9.2.
Figure 9.2. Security and usability trade-off.
Accidents, errors, and omissions account for much higher losses than deliberate acts. Some studies indicate that more than 60% of information losses are caused by accidents. Only 35 to 40% are deliberate acts. Of this percentage, most of this activity can be traced to internal sources. That's rightthe people you have the most to fear are those closest to you! Therefore, controls that reduce the potential for these harmful effects of insiders should always rank on your list of recommendations. Building good policies and policy enforcement mechanisms is critical. Security against deliberate acts can be achieved only if a potential perpetrator believes there is a definite probability of being detected.
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Risk-Assessment Methodologies
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Post-Assessment Activities
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template