Network Vulnerability Assessment Methodology 79
Summary
To be successful, the NVA team will have to identify what network security
concerns have the highest priority. This will allow the team to focus on those
threats and risks that can cause the enterprise the most damage. Understanding
that the security concerns include personnel and physical, as well as technical
issues, will ensure the most comprehensive assessment prospect.
Establishing a team that represents the enterprise will also add to the
creditability of the assessment results. Using enterprise personnel will ensure
that those individuals with the most intimate knowledge of how the network
works and how it is supposed to work will have input into the report. Be
sure to include representatives from the user community. Some of the best
and most knowledgeable network users come from the business units.
Use all of the resources available to plot what threats will be addressed.
Do your research to gather significant issues and then prioritize these risks
based on the probability of occurrence and impact to the enterprise or network.
Concentrate on those issues that will bring the biggest impact to your organization.
Use your team to identify additional items and measure their specific impact.
Developing a checklist will assist the NVA team in ensuring that basic
security controls are examined. Do not just use the checklist. Listen and ask
questions and be ready to include additional information in the examination
process.
An NVA can take a considerable amount of time to complete. Divide the
total mission into manageable chunks and then begin the process. Complete
one phase before moving on to the next. Be sure to get support from the
infrastructure groups; this will make the task easier. Remember that it is not
your NVA, it is the organization’s NVA.
Notes
1. The International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC) form a specialized system on worldwide
standardization. National bodies that are members of ISO and IEC participate
in the development of international standards through technical committees.
The United States through the American National Standards Institute (ANSI) is
the secretariat. Twenty-four other nations have participant status and 40 other
nations are observers. National bodies that are members of ISO and IEC, like ANSI,
participate in the development of international standards through technical com-
mittees. The draft standards are circulated to the national bodies for voting.
Publication as an international standard requires approval by at least 75 percent of
the national bodies casting a vote. ISO 17799 was adopted through this process in
December 2001. A copy of the ISO 17799 can be obtained by accessing the URL
www.iso17799.net. The cost of the document is approximately $140.
2. Critical data is that data the absence or misuse of which will cause the organizational
entity to fail or incur serious loss. Sensitive data is that which, if r eleased or
destroyed, would cause serious problems or embarrassment to the organization.
3. Personal privacy, within the context of an organization’s infrastructure, is a matter
of policy and can have little to do with people’s rights outside an organization.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.