Assessing Current Network Concerns 45
Three checklists are provided in Appendix A:
1. ISO 17799 Self-Assessment Questionnaire
2. Network Vulnerability Assessment Checklist
3. Window NT Server 4.0
3
When developing your checklist, it might be helpful to establish categories
to review. In ISO 17799, the Communications and Operations Management
section 8.5, Network Management, identifies “network controls” and a topic
to be covered. Section 9, Access Controls, is subdivided into 9.4, Network
Access Controls; 9.7, Event Monitoring; and 9.8, Mobile Computing and Tele-
working (Telecommuting). Use these as a starting point for categories or use
the following:
Environmental hazards
Power supplies
Cabling security
Equipment maintenance
Off-premises equipment security
Disposal of equipment
Summary
To be successful, the NVA team must identify what network security concerns
have the highest priority. This allows the team to focus on those threats and
risks that can cause the enterprise the most damage. Understanding that the
security concerns include personnel and physical as well as technical issues
will ensure the most comprehensive assessment prospect.
Establishing a team that represents the enterprise also adds to the credit-
ability of the assessment results. Using enterprise personnel will ensure that
those individuals with the most intimate knowledge of how the network works
and how it is supposed to work will have input into the report. Be sure to
include representatives from the user community. Some of the best and most
knowledgeable network users come from the business units.
Use all of the resources available to plot what threats will be addressed. Do
your research to gather significant issues and then prioritize these risks based
on probability of occurrence and impact to the enterprise or network. Concentrate
on those issues that will bring the biggest impact to your organization. Use your
team to identify additional items and measure their specific impact.
Developing a checklist will assist the NVA team in ensuring that basic
security controls are examined. Do not just use the checklist. Listen and ask
questions, and be ready to include additional information into the examination
process.