Network Vulnerability Assessment Sample Report 161
recommendations are ranked in order of their critical importance. This section
concludes with a summative table listing all recommendations in order of
importance (risk levels).
Final Comments
See Exhibit 7 for a sample of Final Comments.
Summary Table of Risk, Vulnerabilities, and Recommendations
See Exhibit 8 for a sample Summary Table of Risk, Vulnerabilities, and
Recommendations.
Glossary
See Exhibit 9 for a sample Glossary.
Summary
When developing your findings and recommendations, stick to the facts. Try
not to let your opinions and those of the team color the findings. It is important
to stay as neutral as possible. Listen to the people in the interviews and get
their concerns and opinions. Do not go into an assessment with a preconceived
idea of what the results will be.
The sample report is presented as a guide to what you might want to
consider including in your report. Check Appendix C to see a complete report.
Notes
1. In a real network vulnerability assessment, this section is quite detailed, quite
technical, and covers all aspects of the organization’s computing systems. For the
purposes of this example document, only a few vulnerabilities and risks in each
category arecovered.
162 Managing Network Vulnerability Assessment
Exhibit 1. Sample Executive Summary
Important Note: This report contains sensitive and highly confidential infor-
mation that could be used to the detriment of Bogus Corporation. It is strongly
recommended that this report is classified as confidential and distribution is
restricted. All copies should be numbered and kept in a secure location when
not in use.
Introduction
The Network Vulnerability Assessment Team (NVA Team) reviewed the security
policy and practices of the Bogus Corporation network. This effort revealed
that the network supports critical functions with sensitive data that, in turn,
support manufacturing, finance, and product design and development.
Through documentation reviews, in-depth interviews with key Bogus staff and
testing of portions of the network and network devices, the team drew
conclusions regarding the security of the network and the integrity of the data
it supports for Bogus Corporation. An investigation of these critical systems
revealed serious risks to corporate data and communications, which can be
mitigated by countermeasures recommended by our team of specialists.
Methodology
The NVA Team spoke with the managers and technicians of the network
systems as well as the information security practitioners who provide the
custodial protection for both critical and sensitive data in the organization’s
network. The team collected available documentation, regardless of status
(draft, preliminary outline, etc.) and conducted individual interviews with staff
associated with several business units. By paying close attention to actual
practice, and with the cooperation of the Bogus staff who contributed to our
understanding of both policy and practice, we have been able to identify
areas of security concern and to determine appropriate measures that the
Bogus Corporation can take to improve the security of its data and systems.
Results and Conclusions
The Bogus Corporation depends on a vast, complex network that supports a
significant amount of critical data. The NVA Team investigated several aspects
of the organization’s security and discovered that sensitive and critical data
has been exposed to a number of risks, as follows:
Lack of a coordinated security policy that addresses the protection of
business-critical data (ISO 17799, Item 3.1)
Physical security of main servers and computer facilities (ISO 17799, Item 7.2)
Lack of awareness of basic data security practices among most Bogus staff
(ISO 17799, Item 6.2)
Network Vulnerability Assessment Sample Report 163
Exhibit 1. Sample Executive Summary (Continued)
Lack of a cohesive and coordinated disaster recovery and business conti-
nuity plan (ISO 17799, Item 11.1)
Inadequate controls on access to the corporate network and confidential
corporate data (ISO 17799, Item 5.1)
Lack of a clearly defined security administration role (ISO 17799, Item 4.1)
Inadequate oversight of additions and deletions of applications and equip-
ment to the network (ISO 17799, Item 10.5)
Lack of established procedures for handling security incidents (ISO 17799,
Item 10.2, 10.5)
Inadequate logging of security-related events (ISO 17799, Item 6.3)
Recommendations
The results of the NVA indicate that Bogus Corporation needs to address
network security issues from a business systems aspect. The lack of coordi-
nation for security issues leads to serious gaps in the security of the organi-
zation that could be exploited by a hacker or an unauthorized user.
Establish a security oversight committee that is tasked with developing a
comprehensive security plan and implementation schedule. To be effective,
it must be evident that this committee receives complete support from
senior management (ISO 17799, Item 4.1.1).
The ability to recover the network from a man-made or natural disaster
needs to be assured. The organization needs to develop a comprehensive
disaster recovery/business continuity plan that can ensure that business-
critical operations can be brought back online rapidly in the event of a
security incident or business interruption (ISO 17799, Item 11.1.3).
Network and system administrators should be trained in the principles and
common practices of network security. They should be given the opportunity
for ongoing security training because the security field is constantly respond-
ing to new threats to data security and integrity (ISO 17799, Item 6.2.1).
The Bogus Corporation should develop security policies that define access
criteria matrixed by function and data sensitivity. At the least, anomalous
network events should be logged and audited on a regular basis (ISO
17799, Item 9.1.1).
The physical security of the physical plant needs to be reviewed. Access
to critical hardware (servers, routers, and cables) must be limited to those
who have been approved for access based on their job functions (ISO
17799, Item 7.1.1).
Shredders need to be provided for secure disposal of confidential and
sensitive documents and other media. Staff needs to be trained to distin-
guish between confidential data that requires special handling and ordinary
trash (ISO 17799, Item 5.2.2).
All staff needs to be trained in appropriate password control and use, and
password checking needs to be implemented on the network (ISO 17799,
Item 9.2.3).
164 Managing Network Vulnerability Assessment
Exhibit 2. Methodology Overview
Introduction
Originally, the utility of computers lay in their ability to accelerate business
processes. If the system went down, it was inconvenient, but it was not
catastrophic. Today, computers and networks are used for much more than
automating our business processes. If the network is down, we are not
working. If the data in the customer database is not available, we are losing
business. If a safety-critical system is down, lives may be endangered. This
enterprise depends on our computers and networks; they are integral to the
success of the business objective and mission.
Business decisions are based on information stored, generated, and pre-
sented electronically. An effective information protection program is measured
by whether the organization exercised due diligence in seeking to prevent
and detect criminal conduct by its employee and other agents. In the event
of a security breach, corporate officers must be able to show that reasonable
care could avert charges of negligence.
The NVA provides management with the information they need to deter-
mine the security, availability, and integrity of the information and processes
stored on their network(s). The NVA outlines the existing vulnerabilities in
the system and identifies strategies for mitigating those vulnerabilities.
Because every organization has different security requirements, the NVA is
implemented to meet the specific security needs. The NVA evaluates the
systems and the data in the context of the client’s operating environment,
business practices, and strategic goals. The goal is to reach the right balance
among security, effective system utilization, and cost for the enterprise.
Methodology
The NVA team met with Bogus Corporation staff to review your goals and
objectives for this NVA. Once the scope was established, a plan was developed
for gathering relevant information from major business units. The NVA team
identified the key functions in network operations that were critically important
to interview, and provided the NVA team with the names of the people that
should be contacted for these interviews. The Point of Contact (POC) assisted
the team in contacting the people who needed to be interviewed. After
reviewing the documentation and the interview information, the team deter-
mined areas that required additional information, which were requested. The
team then analyzed all the data received, with particular attention to the needs
and concerns of the network staff and network customers that were inter-
viewed, and produced a Draft Report of findings, which was given to the
NVA sponsor. This Draft Report becomes final after the sponsor reviews the
findings and their comments are noted in the Final Report. The NVA team
investigated all the areas that exemplify how the network is managed. The
NVA team spoke with people who are familiar with the policies and practices
in effect at the time of the visit.
Network Vulnerability Assessment Sample Report 165
Exhibit 2. Methodology Overview (Continued)
The review of Bogus Corporation’s environment included the following steps:
Phase I: Data Collection
– Collected and began review of business objectives, strategic business
directions, mission statements, etc.
– Collected and began review of existing policies, procedures, standards,
applicable regulations, laws, guidelines, circulars, letters, memos, audit
comments, etc.
Phase II: Interviews, Information Review, and Hands-On Investigation
– Interviewed key department and business unit representatives
– Interviewed internal customers of network services
– Evaluated security performance of key hardware, network, and software
implementations
Phase III: Analysis
– Identified existing security concerns and analyzed possible mitigating
practices
– Identified critical data issues and sensitive data practices
– Formulated actions to facilitate a successful implementation of a com-
prehensive security program
Phase IV: Draft Report
– Assessed Bogus’ existing security policies and procedures and made
recommendations, where appropriate
– Evaluated risks implicit in Bogus’ existing network implementation and
made recommendations for improved security practices, where appro-
priate
– Assessed the effectiveness of currently implemented safeguards (includ-
ing firewalls) and made recommendations for improvement, where
appropriate
– Presented the Draft Report to members of the Information Technology
Group and solicited their comments, which will be included in the
Final Report
Phase V: Final Report
– A white paper and presentation to senior management (COO, CIO, and
executive managers); the NVA Team is available to answer questions
and clarify issues as needed
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.