Preparing for Analysis
Now that you are ready to dig into the data, use the skills and abilities of your team to help formulate solutions. Get the team involved. As project manager, you will be responsible for the report and its overall look and feel. Individual team members can be given responsibility for portions of the report. Assign them to the areas that they worked in or to a task that fits with their strengths. Working as a group, they can also help you analyze the findings and develop risk-ranking scores. When meeting with the team, the project manager should set the agenda. Encourage all team members to take an active role and offer input. Remind the team to stay focused on what is best for the organization. When it is time to write the report, you should also set deadlines for each team member's individual assignments, follow-ups, or additional information that you've requested. One way to work through the bulk of the findings as a team is by using a three-tiered approach:
- Multimodal (Brainstorm)As you review your findings and discuss specific problems, let the group come up with possible solutions. Much of the analysis is qualitative, so it is open to discussion. During this free flow of information, don't discount any ideas or opinions. One approach is to list each possibility on a whiteboard.
- Bimodal (Evaluate)Now that the team has provided you with many possible solutions, go through the list and narrow it down to the few that really seem possible.
- Unimodal (Decide)Maybe more than one solution will work, but you'll need primary solutions and recommendations. You might consider dividing the solutions into three categories: good solutions, cheap solutions, and quick fixes. This helps the organization to maintain some flexibility when trying to budget the needed improvements.
The organization may not be able to implement all the items you recommend, so target the ones with the highest risk/highest probability. To help stay focused on what's important, keep in mind the organization's OICM and SCM. These matrixes identified what was critical for the organization's mission.
Introduction to Assessing Network Vulnerabilities
- Introduction to Assessing Network Vulnerabilities
- What Security Is and Isnt
- Process for Assessing Risk
- Four Ways in Which You Can Respond to Risk
- Network Vulnerability Assessment
Foundations and Principles of Security
- Foundations and Principles of Security
- Basic Security Principles
- Security Requires Information Classification
- The Policy Framework
- The Role Authentication, Authorization, and Accountability Play in a Secure Organization
- Encryption
- Security and the Employee (Social Engineering)
Why Risk Assessment
- Why Risk Assessment
- Risk Terminology
- Laws, Mandates, and Regulations
- Risk Assessment Best Practices
- Understanding the IT Security Process
- The Goals and Objectives of a Risk Assessment
Risk-Assessment Methodologies
- Risk-Assessment Methodologies
- Risk-Assessment Terminology
- Quantitative and Qualitative Risk-Assessment Approaches
- Best Practices for Quantitative and Qualitative Risk Assessment
- Choosing the Best Risk-Assessment Approach
- Common Risk-Assessment Methodologies and Templates
Scoping the Project
- Scoping the Project
- Defining the Scope of the Assessment
- Reviewing Critical Systems and Information
- Compiling the Needed Documentation
- Making Sure You Are Ready to Begin
Understanding the Attacker
- Understanding the Attacker
- Who Are the Attackers?
- What Do Attackers Do?
- Reducing the Risk of an Attack
- How to Respond to an Attack
Performing the Assessment
- Performing the Assessment
- Introducing the Assessment Process
- Level I Assessments
- Level II Assessments
- Level III Assessments
Tools Used for Assessments and Evaluations
- Tools Used for Assessments and Evaluations
- A Brief History of Security Tools
- Putting Together a Toolkit
- Determining What Tools to Use
Preparing the Final Report
- Preparing the Final Report
- Preparing for Analysis
- Ranking Your Findings
- Building the Final Report
- Contents of a Good Report
- Determining the Next Step
- Audit and Compliance
Post-Assessment Activities
- Post-Assessment Activities
- IT Security Architecture and Framework
- Roles, Responsibilities, and Accountabilities
- Security Incident Response Team (SIRT)
- Vulnerability Management
- Training IT Staff and End Users
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
- Information Request Form
- Document Tracking Form
- Critical Systems and Information Forms
- Level II Assessment Forms
Appendix C. Security Assessment Sample Report
- Appendix C. Security Assessment Sample Report
- Notice
- Executive Summary
- Statement of Work
- Analysis
- Recommendations
- Conclusions
Appendix D. Dealing with Consultants and Outside Vendors
- Appendix D. Dealing with Consultants and Outside Vendors
- Procurement Terminology
- Typical RFP Procurement Steps
- Procurement Best Practices
Appendix E. SIRT Team Report Format Template
EAN: 2147483647
Pages: 138
