Before a network
security policy can be established, a risk analysis has to
be studied. Risk analysis is the process of identifying what
you need to protect, what you need to protect it from, and
how to protect it. It is the process of examining all of
your risks, and ranking those risks by level of severity. A
good way of assessing the risks of network connectivity is
to first evaluate the network to determine which assets are
worth protecting and the extent to which these assets should
be protected. In principle, the cost of protecting a
particular asset should not be more than the asset itself. A
detailed list of all assets, which include both tangible
objects, such as servers and workstations, and intangible
objects, such as software and data should be made.
Directories that hold confidential or mission-critical files
must be identified. After identifying the assets, a
determination of how much it cost to replace each asset must
be made to prioritize the list of assets. Once the assets
requiring protection are identified, it is necessary to
identify the threats to these assets. The threats can then
be examined to determine what potential for loss exists.
Examples of threats
might include:
Unauthorized access/use
of resources (authentication) Denial of Service
(availability) Leakage of information (confidentiality)
Corruption/unauthorized change of data (integrity) Natural
disasters Physical Theft Depreciation of productA thorough
risk assessment will be the most valuable tool in shaping a
network security policy. The risk assessment indicates both
the most valuable and the most vulnerable assets. A security
policy can then be established to focus on security measures
that can identify these assets. Quantifying Costs for
Security Related System DamageThese questions can be an
important first step to putting a quantitative value on
security vulnerabilities, which enables the calculation of
an ROI for a security product investment.
Viruses
How many times per year
does the network fail due to a virus infection? How long
does it take to bring the network back on line (per
incident)? How much revenue is lost when the network goes
off-line? How many employees are on the Recovery team? Who
are the employees? Are they cross-trained and vacation
covered? How many transactions are processed per hour? What
is the average amount of revenue generated per transaction?
How many internal users are dependent on the gateway? How
many external users are dependent on the gateway? How many
customers are dependent on the gateway? What is the average
amount of staff productivity time lost each time the network
goes off-line? What is the average amount of productive time
that is lost (on normal projects) by the Recovery team? Are
there SLA (Service Level Agreements) cost liabilities for
downtime with key customers? What are the risks associated
with downtime and data loss, and are these risks addressed
in the reseller's security policy? For Exchange users:How
many times is the Exchange server taken off-line due to a
virus? For Lotus Notes users: How many times is the Lotus
Notes server taken off-line due to a virus? Unauthorized
IntrudersHow many end users have access to your secured
network? What is the average amount of time each end user
surfs the Internet for non-work related information? How
much of your network bandwidth is being utilized for
non-work related traffic? How many times per year do end
users obtain access to applications that they do not have
permissions to access? When an intruder makes it past the
Firewall, how long does it take the organization to detect
their presence? How many remote users have the authority to
access the network inside of the Firewall?
[request
information] |
