Making Sure You Are Ready to Begin
Key Terms
The following acronyms and terms are used in this chapter. For the explanation and definition purpose of this chapter, these acronyms and terms are defined as follows:
Business impact analysis (BIA)
A component of the business continuity plan. The BIA looks at all the components that an organization is reliant upon the continued functionality. It seeks to distinguish which are more crucial than others and require a greater allocation of funds in the wake of a disaster.
Criticality
The quality, state, degree, or measurement of the highest importance.
Ethical hackers
A security professional who legally attempts to break into a computer system or network to find its vulnerabilities.
Kick-off meeting
The initial meeting of the assessment team and management that is used to strategize and plan the assessment activities. It is also an opportunity for everyone present to ask questions and work out any problems that may need to be addressed.
Level I assessments
This type of vulnerability assessment examines the controls implemented to protect information in storage, transmission, or being processed. It involves no hands-on testing. It is a review of the process and procedures in place and focuses on interviews and demonstrations.
Level II assessments
This type of assessment is more in-depth than a level I. Level II assessments include vulnerability scans and hands-on testing.
Level III assessments
This type of assessment is adversarial in nature and is also know as a penetration test. It is an attempt to find and exploit vulnerabilities. It seeks to determine what a malicious user or outsider could do if determined to damage the organization.
NSA IAM
The National Security Agency (NSA) Information Security Assessment Methodology (IAM) is a systematic process used by government agencies and private organizations for the assessment of security vulnerabilities.
Organizational Information Criticality Matrix (OICM)
The OICM is a means of determining critical information types within the organization. IT is based on what the organization determines is most critical. It is a qualitative process.
Penetration test
A method of evaluating the security of a network or computer system by simulating an attack by a malicious hacker but without doing harm and with the owners consent.
Qualitative assessment
An analysis of risk that places the probability results into terms such as none, low, medium, and high.
Scope creep
This is the uncontrolled change in the project's scope. It causes the assessment to drift away form its original scope and results in budget and schedule overruns.
Systems Criticality Matrix (SCM)
Similar to the OICM, the SCM is used to define the organization's critical systems. This allows the organization to identify and focus its security mechanisms on the systems that are most critical to the organization's mission.
Vulnerability
The susceptibility to damage or attack caused by a security exposure in software, application, hardware, or human component.
Introduction to Assessing Network Vulnerabilities
- Introduction to Assessing Network Vulnerabilities
- What Security Is and Isnt
- Process for Assessing Risk
- Four Ways in Which You Can Respond to Risk
- Network Vulnerability Assessment
Foundations and Principles of Security
- Foundations and Principles of Security
- Basic Security Principles
- Security Requires Information Classification
- The Policy Framework
- The Role Authentication, Authorization, and Accountability Play in a Secure Organization
- Encryption
- Security and the Employee (Social Engineering)
Why Risk Assessment
- Why Risk Assessment
- Risk Terminology
- Laws, Mandates, and Regulations
- Risk Assessment Best Practices
- Understanding the IT Security Process
- The Goals and Objectives of a Risk Assessment
Risk-Assessment Methodologies
- Risk-Assessment Methodologies
- Risk-Assessment Terminology
- Quantitative and Qualitative Risk-Assessment Approaches
- Best Practices for Quantitative and Qualitative Risk Assessment
- Choosing the Best Risk-Assessment Approach
- Common Risk-Assessment Methodologies and Templates
Scoping the Project
- Scoping the Project
- Defining the Scope of the Assessment
- Reviewing Critical Systems and Information
- Compiling the Needed Documentation
- Making Sure You Are Ready to Begin
Understanding the Attacker
- Understanding the Attacker
- Who Are the Attackers?
- What Do Attackers Do?
- Reducing the Risk of an Attack
- How to Respond to an Attack
Performing the Assessment
- Performing the Assessment
- Introducing the Assessment Process
- Level I Assessments
- Level II Assessments
- Level III Assessments
Tools Used for Assessments and Evaluations
- Tools Used for Assessments and Evaluations
- A Brief History of Security Tools
- Putting Together a Toolkit
- Determining What Tools to Use
Preparing the Final Report
- Preparing the Final Report
- Preparing for Analysis
- Ranking Your Findings
- Building the Final Report
- Contents of a Good Report
- Determining the Next Step
- Audit and Compliance
Post-Assessment Activities
- Post-Assessment Activities
- IT Security Architecture and Framework
- Roles, Responsibilities, and Accountabilities
- Security Incident Response Team (SIRT)
- Vulnerability Management
- Training IT Staff and End Users
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
- Information Request Form
- Document Tracking Form
- Critical Systems and Information Forms
- Level II Assessment Forms
Appendix C. Security Assessment Sample Report
- Appendix C. Security Assessment Sample Report
- Notice
- Executive Summary
- Statement of Work
- Analysis
- Recommendations
- Conclusions
Appendix D. Dealing with Consultants and Outside Vendors
- Appendix D. Dealing with Consultants and Outside Vendors
- Procurement Terminology
- Typical RFP Procurement Steps
- Procurement Best Practices
Appendix E. SIRT Team Report Format Template
EAN: 2147483647
Pages: 138
