The following acronyms and terms are used in this chapter. For the explanation and definition purpose of this chapter, these acronyms and terms are defined as follows:
Business impact analysis (BIA)
A component of the business continuity plan. The BIA looks at all the components that an organization is reliant upon the continued functionality. It seeks to distinguish which are more crucial than others and require a greater allocation of funds in the wake of a disaster.
The quality, state, degree, or measurement of the highest importance.
A security professional who legally attempts to break into a computer system or network to find its vulnerabilities.
The initial meeting of the assessment team and management that is used to strategize and plan the assessment activities. It is also an opportunity for everyone present to ask questions and work out any problems that may need to be addressed.
Level I assessments
This type of vulnerability assessment examines the controls implemented to protect information in storage, transmission, or being processed. It involves no hands-on testing. It is a review of the process and procedures in place and focuses on interviews and demonstrations.
Level II assessments
This type of assessment is more in-depth than a level I. Level II assessments include vulnerability scans and hands-on testing.
Level III assessments
This type of assessment is adversarial in nature and is also know as a penetration test. It is an attempt to find and exploit vulnerabilities. It seeks to determine what a malicious user or outsider could do if determined to damage the organization.
The National Security Agency (NSA) Information Security Assessment Methodology (IAM) is a systematic process used by government agencies and private organizations for the assessment of security vulnerabilities.
Organizational Information Criticality Matrix (OICM)
The OICM is a means of determining critical information types within the organization. IT is based on what the organization determines is most critical. It is a qualitative process.
A method of evaluating the security of a network or computer system by simulating an attack by a malicious hacker but without doing harm and with the owners consent.
An analysis of risk that places the probability results into terms such as none, low, medium, and high.
This is the uncontrolled change in the project's scope. It causes the assessment to drift away form its original scope and results in budget and schedule overruns.
Systems Criticality Matrix (SCM)
Similar to the OICM, the SCM is used to define the organization's critical systems. This allows the organization to identify and focus its security mechanisms on the systems that are most critical to the organization's mission.
The susceptibility to damage or attack caused by a security exposure in software, application, hardware, or human component.
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template