Network Vulnerability Assessment Sample Report 181
Exhibit 6. Recommendations to Mitigate Risks
Policy Development (ISO 17799, Item 3.1.1)
A comprehensive and clearly articulated security policy needs to be developed.
Such a policy would provide the guidelines and define the practices that must
be followed to protect Bogus’ critical and confidential information and to
provide security to the network.
Information Protection Oversight (ISO 17799, Item 4.1.1)
The responsibility for information security should be consolidated into one
office or person that reports directly to senior management. This allows for
the development and implementation of one set of security policies and
practices throughout the organization.
Network Facility Security (ISO 17799, Item 7.1.1)
Physical access to the facility needs to be restricted to authorized employees
only. Fire hazards need to be removed, and the entire facility needs to meet
fire safety codes. Keys should be inventoried and stored in a secure place,
and password information should not be recorded. All electronic information
that gives information about computing facilities and architecture should be
stored in a secure place on the network, and physical data about personnel
and network access should be stored out-of-sight.
Disaster Recovery/Business Continuity (ISO 17799, Item 11.1.1)
No coordinated disaster recovery plan exists. Although data is backed up and
stored off-site, no plans for recovering servers or facility systems in the event
of a disaster or business interruption are available. Such a comprehensive plan
needs to be put together as soon as possible, starting with a comprehensive
IT systems recovery plan.
Information Security Awareness (ISO 17799, Item 6.2.1)
All employees need to understand their responsibilities in protecting Bogus
systems and information. This requires orientation training for new employees
and ongoing training for existing employees. Those employees with more
responsibility for protecting information resources, such as system administra-
tors, need to receive ongoing training so that their skills remain up-to-date.
Computer Incident Response Team (ISO 17799, Item 6.3)
Denial of access to system operations could seriously impede Bogus’ ability
to use and sustain business operations. With prepared Computer Incident
Response strategies, a coordinated response to an incident could be provided.
Logging and Auditing (ISO 17799, Item 9.7)
There is insufficient logging of system event data in the network environment
to identify and reconstruct incidents or attempts to penetrate the internal
network. The internal audit department has not implemented sufficient controls
to protect system administration personnel from creating accounts and sub-
verting access to critical and sensitive data.