Post-assessment activities deal with reviewing the project's summary of findings, assessments, and recommendations that are crafted from the IT infrastructure's risk and vulnerability project final report. Typically, the risk and vulnerability assessment uncovers a multitude of issues, concerns, and security voids inherent in the organization's IT infrastructure and assets. These issues, concerns, and security voids are then assessed based on the organization's defined business drivers, goals, and objectives in parallel with the prioritization or importance of the identified IT systems, applications, and resources that support the organization's business processes and functions.
In many cases, organizations are subject to industry compliancy laws as described in Chapter 3, "Why Risk Assessment." These new compliancy laws define the framework for how organizations are to conduct risk and vulnerability assessments and how an organization must have properly defined security controls, processes, and procedures. As described in Chapter 4, "Risk Assessment Methodologies," conducting a top-down approach for risk and vulnerability assessments requires an existing IT security architecture and framework to be in place. This architecture and framework acts as the yardstick of measurement for how the assessor is to conduct a risk and vulnerability assessment based on a defined set of security controls, processes, and procedures. Many organizations quite simply lack adequate IT security architectures and frameworks that are needed to manage IT infrastructures and IT assets and maintain appropriate levels of confidentiality, integrity, and availability.
This common void is typically the most important post-assessment activity, to create, define, document, and communicate an organization's IT security architecture and framework that may be missing or that has gaps, thus exposing the IT infrastructure and its assets to risk caused by threats and vulnerabilities that are not being addressed by the organization at a policy level. This chapter will define what an IT security architecture and framework is and how it acts as the road map for an organization's overall information security strategies for risk mitigation. Finally, this chapter will discuss how to deal with security breaches and incidents and how to distribute the overall information security roles, responsibilities, and accountabilities throughout the IT infrastructure and the IT professionals who must now incorporate proper security controls and practices as part of the organization's overall strategy for security of the IT infrastructure and its assets.
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template