68 Managing Network Vulnerability Assessment
Are there enough employees to support current business goals? Security
errors and “short-cuts” are more likely to occur in highly stressed environ-
ments. If people are under pressure to produce under tight deadlines,
careful observance of security practices is likely to be the first casualty.
Do employees and project managers know their roles and responsibilities?
Are current employees performing necessary and sufficient tasks, or could
any of their tasks be considered wasteful? Ensuring that only necessary
jobs are being done helps employees focus on keeping the essentials well
organized. Ensuring that a sufficient job is being done ensures that time
is not wasted in correcting problems caused by incomplete solutions. Efforts
past sufficiency in a resource-poor environment are wasteful.
Are employees performing their tasks efficiently and effectively? Ensuring
that work is efficiently and effectively performed saves time and energy,
allowing employees to complete tasks to a sufficient performance level.
Are employees properly trained? Do they have the necessary expertise to
implement security practices identified by the assessment process? Employ-
ees cannot implement that which they do not understand. Also, the
organization needs to be sure that technology expertise is not concentrated
in any single employee. What happens if key employees are disabled or
unavailable? It is a good idea to spread critical knowledge around so that
the loss of one critical employee does not precipitate a security incident.
Does the organization need to acquire additional security expertise? Can
current employees acquire additional expertise from training? From an
employee skill assessment, the organization can determine where its
employees lack qualifications and experience. Increased security may
require additional, specialized expertise, which may be obtained by training
employees.
Does the organization need to hire outside expertise (consultant)? What
are the security issues associated with outsourcing? Before adding outside
expertise, the organization should evaluate the risks associated with out-
sourcing such activities.
Does the organization handle employee terminations in such a way that
data and physical security are maintained? Human resources procedures
for employee termination need to be documented. For example, system
administrators need to be formally notified by HR in a timely manner when
someone leaves the company. System administrators need to know that
employees and contractors are legitimate and what level of access they
should have to company information.
Physical Plant and Facilities
The security of company equipment and facilities is just as important as the
security of the network infrastructure. Inadequate physical security may allow
theft or sabotage of information, and compromise the network. Once the
network is compromised, the expectation of trust has been violated.
When assessing physical and facility security, the NVA team should consider
the following: