Security Basics mailing list archives
RE: Risk Assessment Basics
From: "Laundrup, Jens" <Jens.Laundrup () METROKC GOV>
Date: Thu, 26 Oct 2006 07:44:11 -0700
There are many ways of tackling that task but there are the top ten things I would do for starters. 1. Your inventory, I would put it in a DB (or at least a spreadsheet) and then start figuring out what each is. 2. Start inventorying your software and data assets. 3. Get a good vulnerability scanner (we use Foundstone) which will also identify rogue assets on your network (it uses ARP monitoring to do so). 4. Start developing a set of policies (technology independent) and once they are approved, you can write explicit procedures for them. (do not write from scratch. Start by using those found at SANS or in government organizations, as a template). This should include your Change Management process/procedure and a policy that states that Change Management is not optional. 5. Look at starting to segregate your systems (using encrypted VLANS) so that the developers can have their own sandbox to play in without being able to upset production systems. 6. Develop images for your groups, and start pushing these images onto machines, taking away excess privileges in the process (this will make your developers very happy, NOT). Generally, they should be super users but they may need to be administrators on their own box too (resist this at all costs!) depending on the nature of the programming they do. If that is the case, physically segregate development and production systems (like you would a DMZ off a firewall). 7. Look at different risk assessment frameworks and pick the one that is most suited for your business type. There are many to choose from but not all are suited for all businesses. I like ITIL and the ISOs but I know many who swear by COSO, COBIT, etc. 8. Define roles and responsibilities for the network and security personnel (it should be done for the entire company but that is well outside your scope), and get sr. management to support it (this can be very difficult since in most organizations, there is always someone who feels that they should be allowed to do every thing they want). Your efforts here are easily sabotaged unless you build consensus. 9. Start working on incident response plans. This should include everything from someone having a heart attack (call 911, secure the work he was doing, etc.) to the reaction sequence for malware detection (find, localize, clean, patch), security perimeter breach (physical and logical),disgruntled employee, fire, power outages, hurricanes, earth quakes (or whatever other "bad" stuff can happen around you). 10. Take up a hobby such as boxing, martial arts etc. where you can vent your frustrations. A good prescription or some wine would not hurt either. Good luck! Jens -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Fahim S Sent: Wednesday, October 25, 2006 12:09 AM To: security-basics () securityfocus com Subject: Risk Assessment Basics With an ISO 27001 LA course behind me, I am off to hitting my very first Security Assignment where I had to tacke a company's (quite bad) IT Audit report done by E&Y guys. Amingst various other issues raised by these guys that include 'Lack of segregation of duties", programmers having full access on production systems", lacking of program change management guidelines etc., etc....under clause titled Areas of Improvement is a listed "Risk Assessment" has never been carried out and no BCP exists. Now, the first thing I want to do is undertake Risk Assesmment and my understanding is, that in order to undertake Risk Assesment, I first need to create/organise an Asset Register enumerating all the IT Assets. I read quite a well written article here: http://www.networkmagazineindia.com/200212/security2.shtml The guys here have a list of most of the Assets (Servers/PCs/Printers etc) and I am using Eval version of Network View to get insights into the others that are missing, But what's the best practise? Is there a template to maintain An Asset Register? How would I valuate them after identification and further, I would also have to classify them. Am I right in undertaking this process to start with given the fact that various other points exist in the Auditors report? How should I start? Please Advise!! PS: We are not aiming for ISO 27001 certification anytime in the near future, I am only looking at it for best practices for now. ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Risk Assessment Basics Fahim S (Oct 25)
- <Possible follow-ups>
- RE: Risk Assessment Basics Laundrup, Jens (Oct 27)