164 Managing Network Vulnerability Assessment
Exhibit 2. Methodology Overview
Introduction
Originally, the utility of computers lay in their ability to accelerate business
processes. If the system went down, it was inconvenient, but it was not
catastrophic. Today, computers and networks are used for much more than
automating our business processes. If the network is down, we are not
working. If the data in the customer database is not available, we are losing
business. If a safety-critical system is down, lives may be endangered. This
enterprise depends on our computers and networks; they are integral to the
success of the business objective and mission.
Business decisions are based on information stored, generated, and pre-
sented electronically. An effective information protection program is measured
by whether the organization exercised due diligence in seeking to prevent
and detect criminal conduct by its employee and other agents. In the event
of a security breach, corporate officers must be able to show that reasonable
care could avert charges of negligence.
The NVA provides management with the information they need to deter-
mine the security, availability, and integrity of the information and processes
stored on their network(s). The NVA outlines the existing vulnerabilities in
the system and identifies strategies for mitigating those vulnerabilities.
Because every organization has different security requirements, the NVA is
implemented to meet the specific security needs. The NVA evaluates the
systems and the data in the context of the client’s operating environment,
business practices, and strategic goals. The goal is to reach the right balance
among security, effective system utilization, and cost for the enterprise.
Methodology
The NVA team met with Bogus Corporation staff to review your goals and
objectives for this NVA. Once the scope was established, a plan was developed
for gathering relevant information from major business units. The NVA team
identified the key functions in network operations that were critically important
to interview, and provided the NVA team with the names of the people that
should be contacted for these interviews. The Point of Contact (POC) assisted
the team in contacting the people who needed to be interviewed. After
reviewing the documentation and the interview information, the team deter-
mined areas that required additional information, which were requested. The
team then analyzed all the data received, with particular attention to the needs
and concerns of the network staff and network customers that were inter-
viewed, and produced a Draft Report of findings, which was given to the
NVA sponsor. This Draft Report becomes final after the sponsor reviews the
findings and their comments are noted in the Final Report. The NVA team
investigated all the areas that exemplify how the network is managed. The
NVA team spoke with people who are familiar with the policies and practices
in effect at the time of the visit.