Network Vulnerability Assessment Methodology 49
it is making business decisions is accurate? How much trust can be placed in
that information? Management is required to perform due diligence, which
means that management needs availability to accurate information. The net-
works must be available, the information contained in them must have
integrity, and all sensitive information must be kept confidential. The ISO
17799 defines these three terms in the following manner:
1. Integrity. The information is as intended without inappropriate modification
or corruption.
2. Confidentiality. The information is protected from unauthorized or acci-
dental disclosure.
3. Availability. Authorized users can access applications and systems when
required to do their jobs.
The NVA ensures that these three key information security concepts are
met within the network infrastructure. The NVA provides management with
the information it needs to determine the risks, threats, safeguards, and
vulnerabilities of the information and processes stored on its network(s). The
NVA outlines the existing vulnerabilities in the system and identifies strategies
for mitigating those vulnerabilities.
Philosophy
Because every organization has different security requirements, an NVA must
be implemented to meet specific security needs. The NVA is used to evaluate
the systems and the data in the context of one’s operating environment,
business practices, and strategic goals. The goal is always to reach the right
balance among security and effective system utilization.
The NVA examines the network systems from both a policy and a practice
point of view — this is identified as top-down and bottom-up assessments
(see Exhibit 1). The advantage of this dual approach is that it is thorough.
The top-down assessment uses existing security-related policies and proce-
dures, and the bottom-up assessment uses commonly accepted security prac-
tices, known problems, and vulnerabilities.
Top-Down Examination
The top-down examination concentrates on the extent to which policies and
procedures promote a secure computing environment. The NVA team examines
the procedural framework that corporate security rests on and also the depth
to which these policies and procedures are understood and implemented in
the organization. The top-down examination evaluates the areas listed in
Exhibit 2.
Using this information, you will be able to identify vulnerabilities resulting
from missing or inadequate policies and procedures, and how these affect the
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.