Re: security plan

["Rodrigo Blanco" <rodrigo.blanco.r () gmail com>]

Hi nawalmiftahi,

I would say that the first thing to do is a risk analysis (which
should roughly include at least these steps):

1.- Identifying assets and assigning them a value with regard to your
activity / business. Assets can be almost anything (hardware -servers,
communications devices -, services - network services, applications -
, databases, printed information... whatever can adversely impact your
business if its security properties - confidentiality, integrity,
availability - are affected). IMHO, assets directly related to
business information are critical.
2.- Identifying threats that might impact these assets and estimating
the likelihood they will materialize, and the impact on your activity
3.- From these pieces of information, calculate the risks,
prioritizing higher risks for your organization's activity.

There are several tools / methodologies for risk analysis (CRAMM, BSI,
Octave, NIST... you name it) with different prices and formality. Or
you can start off with an informal approach, depending on the
resources at your disposal. It is sometimes a good idea not to go into
too much detail on a first approach in identifying assets.

Afterwards, it is good to have the management decide and formally
approve the level of risk which is accepted. Risks above it should be
treated with security controls, and risks below this level will be
accepted and not treated.

The action plan can be built from the series of risks to be treated
with specific security controls (that is, those which exceed the
accepted level of risk), as a series of security projects. These
projects are aimed at implementing technical or procedural security
measures in order to reduce those risks below the accepted risk level.

It is ideal to repeat this process on a periodic basis (as your
activity and environment change over time) and include it in a broader
framework, such as an ISMS.

Hope it helps.

Regards,
Rodrigo.


On 15 Jan 2007 05:12:07 -0000, nawalmiftahi () gmail com
<nawalmiftahi () gmail com> wrote:
> Hii all,
>   we have a security strategy defined, and i am asked to make a action plan for the above strategy (which is a general 
> stategy from microsoft security), the question i am concerned is where do i have to start , like i came to know that 
> 1st step is identifying assests so how should one identify the assests like what all should be considered ,like only 
> severs or any network infrastructure, and is VA should be included in the above plan ...
>
> ---------------------------------------------------------------------------
> This list is sponsored by: ByteCrusher
>
> Detect Malicious Web Content and Exploits in Real-Time.
> Anti-Virus engines can't detect unknown or new threats.
> LinkScanner can. Web surfing just became a whole lot safer.
>
> http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
> ---------------------------------------------------------------------------