Академический Документы
Профессиональный Документы
Культура Документы
Only those documents viewed through the AESOP system are officially controlled. All other copies, whether viewed through another computer program or a printed version, are not controlled and
therefore Generationnext (www.generationnext.in) assumes no responsibility for accuracy of the document.
GENERATIONNEXT
What we do?
www.generationnext.in
Our methodology consists of information gathering to determine the current state, analysis of information, and the development of a
security roadmap
Information Gathering
The information gathering process focuses on the three key risk components: assets, vulnerabilities, and threats. The approach is
asset-centric, meaning the risk assessment begins with the identification of assets and the value/criticality of assets that are central to
business operations. Threats which could impact these assets are identified and assessed. Finally, vulnerabilities that may be present
on the asset controls are examined to determine the likelihood of impact.
The information gathering phase typically consists of interviews with business managers and technical staff and review of
documentation relating to information security and assets (including network topology). Technical vulnerability assessment results can
be used to enhance the accuracy of initial risk assessment results, leveraging Common Vulnerabilities & Exposure CVE) together with
the Common Vulnerability Scoring System (CVSS).
Asset Identification
The goal of a risk assessment is to identify the risk to critical business operations. The first step in the risk assessment is to identify the
assets that support critical business operations. These assets could include physical and logical assets such as data center systems,
employee computers, network communications devices and channels, remote work areas such as employees home computers,
customer data, employee data, and intellectual property.
The key critical and sensitive assets that support business areas are identified through documentation review and interviews of
business managers and select technical staff, identifying:
Physical assets and locations
Asset ownership and classification
Network and logical connectivity
Software (OS and application)
Data flow throughout the network
Questions during the interview also focus on how the information technology assets are utilized by all types of system users
administrators, customers, employees, etc. This allows a profile to be built of Application Roles and Relationships and User Roles and
Relationships. Assets are then ranked based on their value to operations.
On a scale of 1 to 4, asset value will be ranked as follows:
1. Catastrophic catastrophic failure is possible if the asset is destroyed / compromised.
2. Critical the asset is considered mission critical to business operations.
3. Marginal the asset marginally affects business operations; some degradation of service is likely if the asset is destroyed /
compromised.
4. Negligible destruction / compromise of the asset will have a negligible effect on business operations.
Vulnerability Assessment
Threats cannot impact assets unless the assets are vulnerable to the specific threats. Security mitigating controls may be in place,
reducing the likelihood of a threat exploiting a given asset. Understanding the types of vulnerabilities that exist on critical assets is a key
step in the risk assessment.
Comprehensive information security programs require that every asset have protective measures in the areas of:
Protection
Detection
Containment
Eradication
Recovery
Preventative measures reduce the likelihood of exploitation. The ability to detect and respond to incidents allows an organization to
minimize losses in the event of exploitation. Furthermore, effective detection and response provides a deterrent to exploitation attempts.
Vulnerabilities can be identified based upon the degree of protective measures in the areas of prevention, detection, and response. For
each critical asset, identify the status of compensating or mitigating controls in place. A few examples of areas to evaluate include:
Prevention
Security policies and procedures
Network and application architecture
Software version and patch level
Network segmentation and access controls
Authentication/authorization mechanisms
Security awareness program
Detection
Network intrusion detection capabilities
Host intrusion detection capabilities
Incident reporting policy and processes
Response
Incident response program capabilities
Response policies and process
System back-up and recovery capabilities
Vulnerabilities that affect critical assets are discovered through interviews, documentation review, and technical analysis and validation
testing. Vulnerabilities are classified based on their severity. Severity identifies the exposure of an asset:
High vulnerability which allows threat to control/destroy an asset.
Medium vulnerability which allows threat to compromise/access an asset.
Low vulnerability which provides threat information which could be used to compromise an asset.
For each critical asset identified during the asset identification phase, identified vulnerabilities are noted and classified.
The more accurate the vulnerability assessment, the more accurate the risk assessment will be. The assets and threats that support
and impact business operations tend to change much less frequently than the vulnerability analysis. New vulnerabilities, changes in
technology, and user/administrator introduced issues all contribute to a dynamic vulnerability environment. Areas identified through this
high level vulnerability assessment are candidates for a detailed, technical assessment.
Threat Identification
Threats are individuals, groups, or external events which can impact assets. Threats can take many forms, including people (such as
insiders or Internet users), technology (such as worms or Trojans), and events (such as flood or fire). The project team works with the
enterprise to identify the threats that may impact identified assets. To ensure that all credible threats are considered maintain a list of
various threat types.
Our approach to threat identification is based on threat modeling building scenarios that reflect possible events. Each asset is
analyzed from the perspective of the impact (liability) of various threats scenarios. Examples of impact produced by threats include:
Direct costs from physical destruction / loss
Direct costs from theft / extortion