Network Vulnerability Assessment Sample Report 181
Exhibit 6. Recommendations to Mitigate Risks
Policy Development (ISO 17799, Item 3.1.1)
A comprehensive and clearly articulated security policy needs to be developed.
Such a policy would provide the guidelines and define the practices that must
be followed to protect Bogus’ critical and confidential information and to
provide security to the network.
Information Protection Oversight (ISO 17799, Item 4.1.1)
The responsibility for information security should be consolidated into one
office or person that reports directly to senior management. This allows for
the development and implementation of one set of security policies and
practices throughout the organization.
Network Facility Security (ISO 17799, Item 7.1.1)
Physical access to the facility needs to be restricted to authorized employees
only. Fire hazards need to be removed, and the entire facility needs to meet
fire safety codes. Keys should be inventoried and stored in a secure place,
and password information should not be recorded. All electronic information
that gives information about computing facilities and architecture should be
stored in a secure place on the network, and physical data about personnel
and network access should be stored out-of-sight.
Disaster Recovery/Business Continuity (ISO 17799, Item 11.1.1)
No coordinated disaster recovery plan exists. Although data is backed up and
stored off-site, no plans for recovering servers or facility systems in the event
of a disaster or business interruption are available. Such a comprehensive plan
needs to be put together as soon as possible, starting with a comprehensive
IT systems recovery plan.
Information Security Awareness (ISO 17799, Item 6.2.1)
All employees need to understand their responsibilities in protecting Bogus
systems and information. This requires orientation training for new employees
and ongoing training for existing employees. Those employees with more
responsibility for protecting information resources, such as system administra-
tors, need to receive ongoing training so that their skills remain up-to-date.
Computer Incident Response Team (ISO 17799, Item 6.3)
Denial of access to system operations could seriously impede Bogus’ ability
to use and sustain business operations. With prepared Computer Incident
Response strategies, a coordinated response to an incident could be provided.
Logging and Auditing (ISO 17799, Item 9.7)
There is insufficient logging of system event data in the network environment
to identify and reconstruct incidents or attempts to penetrate the internal
network. The internal audit department has not implemented sufficient controls
to protect system administration personnel from creating accounts and sub-
verting access to critical and sensitive data.
182 Managing Network Vulnerability Assessment
Exhibit 7. Final Comments
All employees who were interviewed were helpful and extremely cooperative
in their assessment of present information system conditions. The purpose of
this report is to identify potential vulnerabilities to serve as a foundation for
future corrective action. Such corrections can form the basis for the company’s
information management decisions.
Computer networks are dynamic and notoriously subject to change. This
means that information protection strategies must include frequent assessments
of existing data storage and handling practices. Once policies have been
established, the practices can be implemented to fulfill the policy goals of
network and information protection. The NVA team believes that such attention
to policy and practice will result in significant reduction in cost and risk to
Bogus Corporation.
Network Vulnerability Assessment Sample Report 183
Exhibit 8. Summary Table of Risk, Vulnerabilities, and Recommendations
Risk Vulnerability Recommendation
High
Security policy Without policy, information
protection is not supported
Create security policies and
processes (ISO 17799, 3.1.1)
Oversight Security is breached because no
one is responsible for
preventing it
Provide centralized oversight
of policy and processes (ISO
17799, 4.1.1)
Facility access Unauthorized personnel can
gain access to the computing
facility
Provide enhanced access
control to computing facility
(ISO 17799, 7.1.1)
Disaster
recovery
Business may be unable to
recover from a serious business
interruption
Create a Disaster Recovery/
Business Continuity plan (ISO
17799, 11.1.1)
Medium
Security
awareness
Confidential data is not
protected because employees
do not know what their
responsibilities are
Train all staff in information
protection practices (ISO
17799, 6.2.1)
Documentation A knowledgeable employee
leaves, taking a lot of system
knowledge with him
Document IT processes (ISO
17799, 6.3)
Logging and
auditing
The network is attacked and no
one realizes it
Log and audit all change
activities on the network (ISO
17799, 9.7)
Paper disposal Critical and sensitive data is
discarded in a publicly available
Dumpster
(ISO 17799, 5.2.2)
Provide necessary furniture to
properly protect information
Low
Security
incident
A security incident is
inadvertently divulged to the
media
Create a Computer Security
Incident Response Team (ISO
17799, 6.3)
184 Managing Network Vulnerability Assessment
Exhibit 9. Glossary
Business continuity plan: A coordinated set of activities designed to reestablish an
organization’s information system function after experiencing a man-made or natural
disaster that destroys or partially inhibits normal functioning.
Countermeasure: A safeguard implemented against a specific threat or in reaction to
a specific incident.
Critical data: The data, the loss of which would have a direct impact upon the
company’s survival.
Data classification: The development of classes of data depending on sensitivity and
the access, control, and management standards for each class.
Disaster recovery plan: A coordinated set of rules, practices, and responses that are
designed to identify the most critical information system applications to an
organization for safeguarding in the event of a man-made or natural disaster that
threatens the organization.
Risk: The likelihood that a vulnerability might be exploited, or that a threat may become
harmful.
Safeguard: Measure taken to negate or reduce a threat.
Sensitive data: That data, the release, misuse, or loss of which could cause direct
embarrassment to the organization or result in significant legal proceedings against
the organization.
Threat: The potential for exploitation of a vulnerability.
Trust: A confident reliance on the integrity, honesty, or justice of another. Trust refers
to the ability of the application to perform actions with integrity, to keep confidential
information private, and to perform its functions on a continuing basis.
Vulnerability: A weakness in a system that can be exploited to violate the system’s
intended behavior.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.