48 Managing Network Vulnerability Assessment
excellent assessment services to your management and user community. This
chapter provides the following resources to assist you in performing a compre-
hensive, accurate, and useful assessment of an organization’s network security,
controls, and safeguards:
Sample schedule and agenda
Requirements document
Documentation checklist
Key personnel checklist
Interview questions
Recommended tools
Sample network vulnerability assessment
Definitions
The NVA is the process by which organizations can evaluate their policies,
business practices, network(s) and network devices, hardware, software, staff-
ing, and training to determine the vulnerabilities that threaten the integrity of
their networks and supporting infrastructure. Once the vulnerabilities have
been identified, the NVA will be necessary to determine appropriate and cost-
effective mitigation for securing the enterprise’s data and network infrastructure.
Key terms used in the NVA include the following:
Risk: the probability that a threat will exploit a vulnerability to adversely
affect an information asset
Threat: an event, the occurrence of which could have an undesired impart
Threat impact: a measure of the magnitude of loss or harm on the value
of an asset
Threat probability: the chance that an event will occur or that a specific
loss value may be attained should the event occur
Safeguard: a risk-reducing measure that acts to detect, prevent, or minimize
loss associated with the occurrence of a specified threat or category of threats
Vulnerability: the absence or weakness of a risk-reducing safeguard
Justification
Originally, the utility of computers lay in their ability to accelerate business
processes. If the system went down, it was inconvenient but it was not
catastrophic. Today, we use computers and the networks they are attached
to for so much more than just automating our business processes. If the
network is down, the enterprise is not working. If the data in the customer
database is not available, we are either losing business or not providing service.
If a safety-critical system is down, lives might be endangered. We depend on
our computers and networks; they are integral to the success of the enterprise.
Business decisions are based on information stored, generated, transmitted,
and presented electronically. How sure is management that the data on which
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.