Making Sure You Are Ready to Begin

Table of contents:

Key Terms

The following acronyms and terms are used in this chapter. For the explanation and definition purpose of this chapter, these acronyms and terms are defined as follows:

Business impact analysis (BIA)

A component of the business continuity plan. The BIA looks at all the components that an organization is reliant upon the continued functionality. It seeks to distinguish which are more crucial than others and require a greater allocation of funds in the wake of a disaster.



The quality, state, degree, or measurement of the highest importance.


Ethical hackers

A security professional who legally attempts to break into a computer system or network to find its vulnerabilities.


Kick-off meeting

The initial meeting of the assessment team and management that is used to strategize and plan the assessment activities. It is also an opportunity for everyone present to ask questions and work out any problems that may need to be addressed.


Level I assessments

This type of vulnerability assessment examines the controls implemented to protect information in storage, transmission, or being processed. It involves no hands-on testing. It is a review of the process and procedures in place and focuses on interviews and demonstrations.


Level II assessments

This type of assessment is more in-depth than a level I. Level II assessments include vulnerability scans and hands-on testing.


Level III assessments

This type of assessment is adversarial in nature and is also know as a penetration test. It is an attempt to find and exploit vulnerabilities. It seeks to determine what a malicious user or outsider could do if determined to damage the organization.



The National Security Agency (NSA) Information Security Assessment Methodology (IAM) is a systematic process used by government agencies and private organizations for the assessment of security vulnerabilities.


Organizational Information Criticality Matrix (OICM)

The OICM is a means of determining critical information types within the organization. IT is based on what the organization determines is most critical. It is a qualitative process.


Penetration test

A method of evaluating the security of a network or computer system by simulating an attack by a malicious hacker but without doing harm and with the owners consent.


Qualitative assessment

An analysis of risk that places the probability results into terms such as none, low, medium, and high.


Scope creep

This is the uncontrolled change in the project's scope. It causes the assessment to drift away form its original scope and results in budget and schedule overruns.


Systems Criticality Matrix (SCM)

Similar to the OICM, the SCM is used to define the organization's critical systems. This allows the organization to identify and focus its security mechanisms on the systems that are most critical to the organization's mission.



The susceptibility to damage or attack caused by a security exposure in software, application, hardware, or human component.


Introduction to Assessing Network Vulnerabilities

Foundations and Principles of Security

Why Risk Assessment

Risk-Assessment Methodologies

Scoping the Project

Understanding the Attacker

Performing the Assessment

Tools Used for Assessments and Evaluations

Preparing the Final Report

Post-Assessment Activities

Appendix A. Security Assessment Resources

Appendix B. Security Assessment Forms

Appendix C. Security Assessment Sample Report

Appendix D. Dealing with Consultants and Outside Vendors

Appendix E. SIRT Team Report Format Template

Inside Network Security Assessment. Guarding your IT Infrastructure
Inside Network Security Assessment: Guarding Your IT Infrastructure
ISBN: 0672328097
EAN: 2147483647
Year: 2003
Pages: 138 © 2008-2020.
If you may any questions please contact us: