215
Appendix B
Pre-NVA Checklist
Contacts
NVA Team Members
Identify the personnel who make up the NVA team. Be sure to include the
sponsor.
Sponsor
Project Lead
Policy Review Lead
Policy review support
Technical Review Lead
Technical support
Name and Department Phone Number E-mail Address
216 Managing Network Vulnerability Assessment
Infrastructure Support Contacts
Identify the personnel who are primarily responsible for system and network
development, management, and maintenance. Please include name, job title,
responsibilities, phone number, and e-mail address of each person:
NT Domains
Netware Trees/Contexts
UNIX Systems
MVS Systems
Security systems (firewalls, key distribution systems, certificate authorities)
Identify personnel who are primarily responsible for the following areas:
Auditing:
– Physical Security
– Technical Support Services
– Contracts and Legislation
– Corporate Inter- and Intranet
– Facilities (Physical Plant)
– Purchasing
– Human Resources and Payroll
– Records Maintenance/Retention
– Security Policy
– Other Corporate Policy, Guidelines, Standards, and Goals
Name and Department Responsibilities Phone Number E-mail Address
Pre-NVA Checklist 217
Network
Identify the network elements that are part of the assessment.
Name and Department Responsibilities Phone Number E-mail Address
Network Elements Connections
Vendor, Model, Quantity,
Name, and IPs
1. Components (e.g., routers, terminal
servers, bridges, hubs): for numerous
components of the same type,
provide a typical configuration and
the quantity of each.
Connections: describe the
quantity and types of connections
for each component.
2.
Management systems: describe the
systems used to manage the network
(including monitoring).
3.
Network services: describe the
network services provided and
where those services are provided. A
network service is any service used
by multiple platforms that traverses
the network (e.g., directory/name,
mail, time).
4.
Security systems: describe any
network- or host-based security
products currently implemented.
218 Managing Network Vulnerability Assessment
Host
Identify the critical host computer systems that are part of the assessment,
where “host” refers to mainframes, servers, and workstations.
Network Elements Connections
Vendor, Model, Quantity,
Name, and IPs
5. Exception reports: for disruptions in
either input or output.
Service/vendor name,
description, and type of
connection.
Description and diagram of
current firewall implementation.
Description and diagram of
current remote access
implementation (dial-up and VPN
architecture).
Network Elements Connections
Vendor, Model, Quantity,
Name, and IPs
1. Configuration: describe the
configuration of each host; for
workstations, provide a typical
configuration and the quantity.
Number of users and types of
users.
Management systems: describe
the systems used to manage the
network (including monitoring).
2.
System software: identify system
software (system vendor or third
party) used on the host. Of primary
interest is security-related software
(e.g., assessment and monitoring
tools).
3.
Network services: identify the
network services provided by, or
used by, each host.
Pre-NVA Checklist 219
Applications
Identify the critical applications that are part of the assessment, including any
major applications that execute on the hosts identified above.
Documentation
Priority 1 documents will be needed as soon as possible.
Applications BIA Ranking Dependencies
1. Description: provide a brief
description of the application;
indicate the criticality of the
application and the data used by the
application.
2.
Hosts: identify the hosts on which
the application runs; if a client/server
application, identify both the client
and server systems.
Document Included
Not
Available
Documentation
Network Topology (Diagram)
Firewall Architecture
Remote Access Server Architecture
Detailed List of Mission-Critical Applications
Brief description (purpose)
Data storage method (database)
Who is the data owner/administrator?
Who are the users (job title)?
Security mechanisms
Sensitive or critical data
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.