Security Basics mailing list archives
Re: security plan
From: "Rodrigo Blanco" <rodrigo.blanco.r () gmail com>
Date: Mon, 15 Jan 2007 14:37:19 -0600
Hi nawalmiftahi, I would say that the first thing to do is a risk analysis (which should roughly include at least these steps): 1.- Identifying assets and assigning them a value with regard to your activity / business. Assets can be almost anything (hardware -servers, communications devices -, services - network services, applications - , databases, printed information... whatever can adversely impact your business if its security properties - confidentiality, integrity, availability - are affected). IMHO, assets directly related to business information are critical. 2.- Identifying threats that might impact these assets and estimating the likelihood they will materialize, and the impact on your activity 3.- From these pieces of information, calculate the risks, prioritizing higher risks for your organization's activity. There are several tools / methodologies for risk analysis (CRAMM, BSI, Octave, NIST... you name it) with different prices and formality. Or you can start off with an informal approach, depending on the resources at your disposal. It is sometimes a good idea not to go into too much detail on a first approach in identifying assets. Afterwards, it is good to have the management decide and formally approve the level of risk which is accepted. Risks above it should be treated with security controls, and risks below this level will be accepted and not treated. The action plan can be built from the series of risks to be treated with specific security controls (that is, those which exceed the accepted level of risk), as a series of security projects. These projects are aimed at implementing technical or procedural security measures in order to reduce those risks below the accepted risk level. It is ideal to repeat this process on a periodic basis (as your activity and environment change over time) and include it in a broader framework, such as an ISMS. Hope it helps. Regards, Rodrigo. On 15 Jan 2007 05:12:07 -0000, nawalmiftahi () gmail com <nawalmiftahi () gmail com> wrote:
Hii all, we have a security strategy defined, and i am asked to make a action plan for the above strategy (which is a general stategy from microsoft security), the question i am concerned is where do i have to start , like i came to know that 1st step is identifying assests so how should one identify the assests like what all should be considered ,like only severs or any network infrastructure, and is VA should be included in the above plan ... --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- security plan nawalmiftahi (Jan 15)
- Re: security plan Rodrigo Blanco (Jan 16)