2 Managing Network Vulnerability Assessment
A risk analysis also lets an enterprise take control of its own destiny. With
an effective risk analysis process in place, only those controls and safeguards
that are actually needed will be implemented. An enterprise will never again
face having to implement a mandated control to “be in compliance with audit
requirements.”
A risk analysis should be conducted whenever money or resources are to
be spent. Before starting a task, project, or development cycle, an enterprise
should conduct an analysis of the need for the project. Understanding the
concepts of risk analysis and applying them to the business needs of the
enterprise will ensure that only necessary spending is done.
Once a risk analysis has been conducted, it will be necessary to conduct
a cost-benefit analysis to determine which controls will help mitigate the risk
to an acceptable level at a cost the enterprise can afford. It is unwise to
implement controls or safeguards just because they appear to be the right
thing to do, or that other enterprises are doing so. Each organization is unique,
and the levels of revenue and exposure are different. By conducting a proper
risk analysis, the controls or safeguards will meet the enterprise’s specific
needs. (For more information on risk analysis, see Information Security Risk
Analysis by Thomas Peltier (Auerbach Publications).)
Once the controls or safeguards have been implemented, it is appropriate
to conduct an assessment to determine if the controls are working. In the
information security profession, the term “vulnerability” has been defined as
a condition of a missing or ineffectively administered safeguard or control that
allows a threat to occur with a greater impact or frequency, or both. When
conducting an NVA, the team will be assessing existing controls, safeguards,
and processes that are part of the network. This process — the assessment
— will ensure that controls are effective and that they will remain so.
Network Vulnerability Assessment (NVA)
This book was developed to assist the reader in managing all aspects of the
network vulnerability assessment (NVA) process. We examine the development
of a proper project plan, how to assess your biggest needs, what methodology
to use, what tools to employ, and what a typical report should look like.
Exhibit 1. Information Security Life Cycle
Vulnerability
Assessment
Implementation
Risk
Analysis
Cost/Benefit
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.