Network Vulnerability Assessment Sample Report 171
Exhibit 4. Analysis (Continued)
important that employees receive ongoing training in proper security practices,
including proper disposal of hardcopy sensitive and critical material. System
and network administrators also need additional specialized training in system
and network security. They need to know your systems better than a hacker,
and this level of knowledge requires training. Currently, such advanced training
is optional — it should be mandatory.
Personnel
Bogus Corporation’s system administrators provide the management behind
access to data. It is important that all staff members have a consistent
understanding of what data is critical (ISO 17799, 5.2.1), what data is sensitive,
and how the overall administration of access to data is managed. This under-
standing does not appear to be consistent; variances in practice exist concern-
ing password management and administration, auditing and logging, network
access of temporary and permanent employees, and access to data based on
job function alone. Overall, each individual charged with the management or
administration of access to information needs to be aware of established policy,
the principles of information security, and how to implement information
security effectively.
Furthermore, all practices need to be documented (ISO 17799, 6.1.1). At
present, too much essential system knowledge is in the heads of employees.
If a senior system administrator were to leave or become unexpectedly
disabled, you would not be able to easily replace his or her knowledge of
your systems, and system functioning could be severely impacted.
Technical Management and Network Practices
Reporting Structure
Risk = medium. Some system administrators report to managers within the
IT organization; others report to the manager of the functional group
to which they provide systems support. Such an arrangement tends to
provide better service to IT customers but often fails to provide consis-
tent administration of security practices.
Recommendation. Matrixed reporting might provide for more consistency
in network security administration A permanent Information Security
Steering Committee (ISSC) (ISO 17799, 4.1.1) should be established,
with members drawn from IT and major user groups. This group’s
charter would be to approve and support the vision and goals of Bogus
Corporation’s information protection program. The members of this
group should provide guidance in the consistent implementation of
security throughout the organization, ensure that the resources are
adequate for the successful implementation and maintenance of this
program, and provide training for all users in security practices.