RE: Risk Assessment Basics

["Laundrup, Jens" <Jens.Laundrup () METROKC GOV>]

There are many ways of tackling that task but there are the top ten
things I would do for starters.

1.  Your inventory, I would put it in a DB (or at least a spreadsheet)
and then start figuring out what each is.

2.  Start inventorying your software and data assets.  

3.  Get a good vulnerability scanner (we use Foundstone) which will also
identify rogue assets on your network (it uses ARP monitoring to do so).

4.  Start developing a set of policies (technology independent) and once
they are approved, you can write explicit procedures for them.  (do not
write from scratch.  Start by using those found at SANS or in government
organizations, as a template).  This should include your Change
Management process/procedure and a policy that states that Change
Management is not optional.  

5.  Look at starting to segregate your systems (using encrypted VLANS)
so that the developers can have their own sandbox to play in without
being able to upset production systems.  

6.  Develop images for your groups, and start pushing these images onto
machines, taking away excess privileges in the process (this will make
your developers very happy, NOT).  Generally, they should be super users
but they may need to be administrators on their own box too (resist this
at all costs!) depending on the nature of the programming they do.  If
that is the case, physically segregate development and production
systems (like you would a DMZ off a firewall).

7.  Look at different risk assessment frameworks and pick the one that
is most suited for your business type.  There are many to choose from
but not all are suited for all businesses.  I like ITIL and the ISOs but
I know many who swear by COSO, COBIT, etc.

8.  Define roles and responsibilities for the network and security
personnel (it should be done for the entire company but that is well
outside your scope), and get sr. management to support it (this can be
very difficult since in most organizations, there is always someone who
feels that they should be allowed to do every thing they want).  Your
efforts here are easily sabotaged unless you build consensus.  

9.  Start working on incident response plans.  This should include
everything from someone having a heart attack (call 911, secure the work
he was doing, etc.) to the reaction sequence for malware detection
(find, localize, clean, patch), security perimeter breach (physical and
logical),disgruntled employee, fire, power outages, hurricanes, earth
quakes (or whatever other "bad" stuff can happen around you).

10.  Take up a hobby such as boxing, martial arts etc. where you can
vent your frustrations.  A good prescription or some wine would not hurt
either.

Good luck!

Jens







-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Fahim S
Sent: Wednesday, October 25, 2006 12:09 AM
To: security-basics () securityfocus com
Subject: Risk Assessment Basics

With an ISO 27001 LA course behind me, I am off to hitting my very
first Security Assignment where I had to tacke a company's (quite bad)
IT Audit report done by E&Y guys. Amingst various other issues raised
by these guys that include 'Lack of segregation of duties",
programmers having full access on production systems", lacking of
program change management guidelines etc., etc....under clause titled
Areas of Improvement is a listed "Risk Assessment" has never been
carried out and no BCP exists.

Now, the first thing I want to do is undertake Risk Assesmment and my
understanding is, that in order to undertake Risk Assesment, I first
need to create/organise an Asset Register enumerating all the IT
Assets.

I read quite a well written article here:
http://www.networkmagazineindia.com/200212/security2.shtml

The guys here have a list of most of the Assets (Servers/PCs/Printers
etc) and I am using Eval version of Network View to get insights into
the others that are missing,

But what's the best practise? Is there a template to maintain An Asset
Register? How would I valuate them after identification and further, I
would also have to classify them.

Am I right in undertaking this process to start with given the fact
that various other points exist in the Auditors report? How should I
start?
Please Advise!!

PS: We are not aiming for ISO 27001 certification anytime in the near
future, I am only looking at it for best practices for now.

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence 
in Information Security. Our program offers unparalleled Infosec
management 
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------