Risk-Assessment Methodologies

In the previous chapter, the goals and objectives for conducting a risk assessment were presented. These goals and objectives provide many reasons why an organization should conduct a risk assessment on its IT and network infrastructure. In some cases, new laws, mandates, and regulations such as HIPAA, GLBA, FISMA, and SOX require organizations to conduct periodic risk and vulnerability assessments and implement defined security controls. This, coupled with the creation and implementation of an IT security architecture and framework, provides the necessary foundation for an organization to properly manage and mitigate the risks caused by threats and vulnerabilities to an IT and network infrastructure.

This chapter first presents risk-assessment terminology commonly used when discussing risk management and risk-assessment topics. After these terms and definitions are presented, the chapter will present to the reader the different methodologies and approaches for conducting a risk assessment on an IT infrastructure and its assets. The reader will learn the steps needed to conduct a risk assessment using different methodologies or approaches. However, no matter what methodology or approach is used, it is important that the organization address how asset management and proper inventorying of the organizations IT assets are to be handled. After the IT systems, applications, and data assets are inventoried, the organization must prioritize them based on importance to the organization. This prioritization is critical because many organizations do not have unlimited funds to implement proper security controls and security countermeasures to mitigate the identified risk from threats and vulnerabilities. This prioritization is typically aligned to the organization's business drivers, goals, and objectives. Then, assessing the risk of threats and vulnerabilities on an organization's IT hardware, software, and assets can be done qualitatively, quantitatively, or via a hybrid approach.

Introduction to Assessing Network Vulnerabilities

Foundations and Principles of Security

Why Risk Assessment

Risk-Assessment Methodologies

Scoping the Project

Understanding the Attacker

Performing the Assessment

Tools Used for Assessments and Evaluations

Preparing the Final Report

Post-Assessment Activities

Appendix A. Security Assessment Resources

Appendix B. Security Assessment Forms

Appendix C. Security Assessment Sample Report

Appendix D. Dealing with Consultants and Outside Vendors

Appendix E. SIRT Team Report Format Template



Inside Network Security Assessment. Guarding your IT Infrastructure
Inside Network Security Assessment: Guarding Your IT Infrastructure
ISBN: 0672328097
EAN: 2147483647
Year: 2003
Pages: 138

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net