Comprehensive Network Security Plan: Policies and Strategies
VerifiedAdded on 2024/05/31
|54
|18957
|211
Report
AI Summary
This document presents a comprehensive network security plan, beginning with an introduction to network security concepts and the importance of securing networks against various threats. It outlines the scope of network security, particularly in the context of an organization like Wal-Mart, emphasizing the need for authorized access, data protection, and secure payment processing. The plan details key objectives of network security, including confidentiality, integrity, availability, and nonrepudiation. It also addresses common assumptions made about network security and their limitations, such as relying solely on authentication or firewalls. The document further includes risk analysis, asset identification, and assessment of potential threats and vulnerabilities. Various security policies are discussed, including acceptable use, network security, physical security, personnel, data, and hardware policies. The plan also covers disaster recovery and business continuity strategies, recommended security controls, and an assessment of residual risks. The document concludes by listing resources and summarizing the importance of a robust network security plan for any organization.
Network Security Plan
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Table of Contents
Introduction..............................................................................................................................3
Objectives..................................................................................................................................6
Assumptions..............................................................................................................................7
Risk Analysis.............................................................................................................................9
Asset Identification and Assessment......................................................................................9
Risks.....................................................................................................................................10
Threats, Challenges, and Vulnerabilities..............................................................................21
Security Policies......................................................................................................................25
Acceptable Use Policies.......................................................................................................26
Network Security Policies....................................................................................................27
Physical Security Policies....................................................................................................31
Personnel Policies................................................................................................................32
Getting ready methods can moreover be connected as one of the devices for surveying the
accomplishment of the office's undertakings. A half of year after the approach will turn out
to be intense; the training division must confirm the technique..........................................37
Data Policies.........................................................................................................................37
System and Hardware Policies.............................................................................................38
Disaster Recovery and Business Continuity........................................................................39
Security Strategies and Recommended Controls (two pages)............................................45
Residual Risks.........................................................................................................................48
Resources................................................................................................................................49
Conclusion...............................................................................................................................51
References...............................................................................................................................52
1
Introduction..............................................................................................................................3
Objectives..................................................................................................................................6
Assumptions..............................................................................................................................7
Risk Analysis.............................................................................................................................9
Asset Identification and Assessment......................................................................................9
Risks.....................................................................................................................................10
Threats, Challenges, and Vulnerabilities..............................................................................21
Security Policies......................................................................................................................25
Acceptable Use Policies.......................................................................................................26
Network Security Policies....................................................................................................27
Physical Security Policies....................................................................................................31
Personnel Policies................................................................................................................32
Getting ready methods can moreover be connected as one of the devices for surveying the
accomplishment of the office's undertakings. A half of year after the approach will turn out
to be intense; the training division must confirm the technique..........................................37
Data Policies.........................................................................................................................37
System and Hardware Policies.............................................................................................38
Disaster Recovery and Business Continuity........................................................................39
Security Strategies and Recommended Controls (two pages)............................................45
Residual Risks.........................................................................................................................48
Resources................................................................................................................................49
Conclusion...............................................................................................................................51
References...............................................................................................................................52
1
Introduction
We all in today’s world are connected to one network or the other. But are these networks
secured? If yes, then how? What is network security? Anything or any measure which is
taken to secure a network from any known or unknown threats is known as Network Security.
Network security doesn’t deal only with network related aspects but it also deals with the
hardware and software components of the system for proper security. Basically, network
security manages access to the network.
How does it operate? Network security works on the basic principle of layer security, it
has different protected layers at the edge which goes all the way to the network layer. Now,
these various layers allow an authenticated user and block any unauthorized, malicious or
unknown user to access the network.
In a digitalized world, like we live in, it is very important to secure a network as everything
and everyone is connected to that network one way or the other. There are various ways in
which we can secure a network and hence there are various types of network security
available nowadays. Let’s have a look them (Carter, 2012):-
1. Protection from Unauthorized Access:-
Not everyone should have the access to your network or in other words, your network
shouldn’t be open to all. There should be a proper check on all the personals and the
devices which access the network and the network should have the knowledge to
differentiate between an authorized and an unauthorized device or user. By ensuring
the access we can make our network better and stable. This process is known as
Network Access Control (NAC).
2. Application Security:-
Securing a network is an essential thing but it is not the only thing which needs to be
secure. Sometimes the applications we use on the network can have some flaws which
may lead to unknown threats and in the end compromising the network itself.
3. E-mail Security:-
We are all aware of the virus and malware which we sometimes receive through the
E-mail. According to the IT R&D, e-mail is one of the most common and widely used
channels for threatening or compromising a network. There should be a proper check
and monitoring on the e-mails which are received over the network.
4. Firewall:-
As the name suggests the firewall literally acts as a barrier between the outside worlds
2
We all in today’s world are connected to one network or the other. But are these networks
secured? If yes, then how? What is network security? Anything or any measure which is
taken to secure a network from any known or unknown threats is known as Network Security.
Network security doesn’t deal only with network related aspects but it also deals with the
hardware and software components of the system for proper security. Basically, network
security manages access to the network.
How does it operate? Network security works on the basic principle of layer security, it
has different protected layers at the edge which goes all the way to the network layer. Now,
these various layers allow an authenticated user and block any unauthorized, malicious or
unknown user to access the network.
In a digitalized world, like we live in, it is very important to secure a network as everything
and everyone is connected to that network one way or the other. There are various ways in
which we can secure a network and hence there are various types of network security
available nowadays. Let’s have a look them (Carter, 2012):-
1. Protection from Unauthorized Access:-
Not everyone should have the access to your network or in other words, your network
shouldn’t be open to all. There should be a proper check on all the personals and the
devices which access the network and the network should have the knowledge to
differentiate between an authorized and an unauthorized device or user. By ensuring
the access we can make our network better and stable. This process is known as
Network Access Control (NAC).
2. Application Security:-
Securing a network is an essential thing but it is not the only thing which needs to be
secure. Sometimes the applications we use on the network can have some flaws which
may lead to unknown threats and in the end compromising the network itself.
3. E-mail Security:-
We are all aware of the virus and malware which we sometimes receive through the
E-mail. According to the IT R&D, e-mail is one of the most common and widely used
channels for threatening or compromising a network. There should be a proper check
and monitoring on the e-mails which are received over the network.
4. Firewall:-
As the name suggests the firewall literally acts as a barrier between the outside worlds
2
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
our personal network. Firewalls are responsible for detecting any unauthorized access
or breach into the network security. A firewall could be software or a hardware
component both, depending upon the need of the user.
5. Web Security:-
If a system or any device is connected to any network then it is obvious that the user
will use the services of World Wide Web. Now as useful as it is, the Web also needs
to be secured at all times to prevent any harmful intrusions from it as it houses one of
the most damaging threats a network can survive.
6. Network, in any environment, or organization, being a mediator between the internet
and the user, is prone to a lot of threats and security vulnerabilities one can imagine
of. As discussed above securing a network should be a prime concern and the primary
objective of establishing any other component of the system use. But the point is, how
far one can think of taking the network security and what are the future image of this
component, let’s see (Carter, 2012):-.
3
or breach into the network security. A firewall could be software or a hardware
component both, depending upon the need of the user.
5. Web Security:-
If a system or any device is connected to any network then it is obvious that the user
will use the services of World Wide Web. Now as useful as it is, the Web also needs
to be secured at all times to prevent any harmful intrusions from it as it houses one of
the most damaging threats a network can survive.
6. Network, in any environment, or organization, being a mediator between the internet
and the user, is prone to a lot of threats and security vulnerabilities one can imagine
of. As discussed above securing a network should be a prime concern and the primary
objective of establishing any other component of the system use. But the point is, how
far one can think of taking the network security and what are the future image of this
component, let’s see (Carter, 2012):-.
3
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Scope
As discussed above, network security is extremely important and a key factor in securing the
confidentiality and the trust of any organization/company. In today’s world, there is a wide
scope of network security and the application are also endless.
A network security should secure the networks from:-
1. Structured and unstructured attacks.
2. Phishing.
3. Dos and DDoS Attacks.
4. IP addresses spoofing.
5. Password attacks and many more.
To further understand the scope of Network Security, let’s take an organization into
consideration and analyze the threats that accompany it.
We are all aware of the E-commerce giant, Wall-mart. Now wall mart operates via physical
stores and online stores as well. On Wal-Mart's site, the organization sells almost all kinds of
products from different brands, to different places around the world. They have the option of
online payments via credit card, debit card or through net-banking. Running all these services
on the World Wide Web requires high encryption payment gateways and a secure network.
This is the part where network security comes into play. The following are the roles which
network security plays while securing Wal-Mart's network:-
• Firstly network security ensures that only authorized users can have access to the wall
mart’s site that means to make a purchase the user must have a registered password
and ID to log in. This makes it easier for the organization to keep track of purchases
and users who purchase it as well.
• After giving the access to the authorized user the security must ensure that user
doesn’t perform any unauthorized activity on the network. Meaning, the network
security must ensure the firewall’s integrity even after granting the access. So that no-
one can harm the network from within.
• While logging on the network the user provides sensitive information to the
organization such as name, address, phone details, credit card details, payment
information and a lot more. The analytical data and information security are also
ensured by the network security so as to prevent the interest of both, the user and the
organization(Carter, 2012).
4
As discussed above, network security is extremely important and a key factor in securing the
confidentiality and the trust of any organization/company. In today’s world, there is a wide
scope of network security and the application are also endless.
A network security should secure the networks from:-
1. Structured and unstructured attacks.
2. Phishing.
3. Dos and DDoS Attacks.
4. IP addresses spoofing.
5. Password attacks and many more.
To further understand the scope of Network Security, let’s take an organization into
consideration and analyze the threats that accompany it.
We are all aware of the E-commerce giant, Wall-mart. Now wall mart operates via physical
stores and online stores as well. On Wal-Mart's site, the organization sells almost all kinds of
products from different brands, to different places around the world. They have the option of
online payments via credit card, debit card or through net-banking. Running all these services
on the World Wide Web requires high encryption payment gateways and a secure network.
This is the part where network security comes into play. The following are the roles which
network security plays while securing Wal-Mart's network:-
• Firstly network security ensures that only authorized users can have access to the wall
mart’s site that means to make a purchase the user must have a registered password
and ID to log in. This makes it easier for the organization to keep track of purchases
and users who purchase it as well.
• After giving the access to the authorized user the security must ensure that user
doesn’t perform any unauthorized activity on the network. Meaning, the network
security must ensure the firewall’s integrity even after granting the access. So that no-
one can harm the network from within.
• While logging on the network the user provides sensitive information to the
organization such as name, address, phone details, credit card details, payment
information and a lot more. The analytical data and information security are also
ensured by the network security so as to prevent the interest of both, the user and the
organization(Carter, 2012).
4
• If a user chooses to pay online for the purchase then it is network security’s duty to
direct the details of payment from the site to the gateways and from the gateway to the
site again, no data loss is tolerable when it comes to payment details.
• In the end, the network security must hold and maintain the user's data and
information after it has logged out of the network so that it can be used in the future in
an intact manner (Varshney, 2006).
As seen above, it is not possible to operate a venture or any kind of work which involves the
use of sensitive information without the presence of network security options. Network
security does not only protect the network from outside threats but it also protects the
information and data stored on the network from getting out. Therefore it is evident that the
scope and usage of this component are unparalleled from any other component when it comes
to security and protection. As the network grows and more ventures come online it would be
getting important and prioritized to maintain and use network security on a regular basis. the
If network security is not implemented in any of organization network then anyone can attack
with enough computer skills and knowledge can break into a system and compromise the
network resulting into loss and leakage of data and company’ reputation at the same time.
The duplicity of movies, songs and other things we see on the internet is a result of poor
network security and lack of proper management of the network. To ensure the success and
reputation of any organization is very important to ensure a robust and good working network
security (Mitchell, 2017).
Objectives
Network security is the terms opt for the policies or the rules which are applied to the
network on which browses on. It provides a security against different threats which can attack
the network when you are on it and can breach your data through the attacks and also take
you very personal credentials and misuse it.
So network security is like a lock which provides a wall between the network and your data
or credentials so that no unauthorized person or threat can attack you while you are on the
network.
There 4 main objectives behind network security:
1) Confidentiality- the first objective of the network security specifies very important
rule about the network who or what the people to access information on the network
is. Basically, it means who is authorized and who is not, by keeping it confidential
5
direct the details of payment from the site to the gateways and from the gateway to the
site again, no data loss is tolerable when it comes to payment details.
• In the end, the network security must hold and maintain the user's data and
information after it has logged out of the network so that it can be used in the future in
an intact manner (Varshney, 2006).
As seen above, it is not possible to operate a venture or any kind of work which involves the
use of sensitive information without the presence of network security options. Network
security does not only protect the network from outside threats but it also protects the
information and data stored on the network from getting out. Therefore it is evident that the
scope and usage of this component are unparalleled from any other component when it comes
to security and protection. As the network grows and more ventures come online it would be
getting important and prioritized to maintain and use network security on a regular basis. the
If network security is not implemented in any of organization network then anyone can attack
with enough computer skills and knowledge can break into a system and compromise the
network resulting into loss and leakage of data and company’ reputation at the same time.
The duplicity of movies, songs and other things we see on the internet is a result of poor
network security and lack of proper management of the network. To ensure the success and
reputation of any organization is very important to ensure a robust and good working network
security (Mitchell, 2017).
Objectives
Network security is the terms opt for the policies or the rules which are applied to the
network on which browses on. It provides a security against different threats which can attack
the network when you are on it and can breach your data through the attacks and also take
you very personal credentials and misuse it.
So network security is like a lock which provides a wall between the network and your data
or credentials so that no unauthorized person or threat can attack you while you are on the
network.
There 4 main objectives behind network security:
1) Confidentiality- the first objective of the network security specifies very important
rule about the network who or what the people to access information on the network
is. Basically, it means who is authorized and who is not, by keeping it confidential
5
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
means not showing the data to everyone only to the authorized one. Some
authorization methods are kept on the network which allows only those authorized
person who has the clearance to see their confidential details.
2) Integrity- it is made by both the confidentiality and availability of the data. The main
feature of the integrity is that not only it’s authorized the data but also checks that the
data which is stored on the network is not changed by any authorized person or saved
in such a way that it is not contaminated.
3) Availability- means that the data which is stored on the website or on the internet can
be only accessed by that person or that person who have the authorization for it.
Availability means that only those have authorization can check its data whereas
others who don’t have authorization would be blocked by the security on the network.
4) Nonrepudiation- is the newest and most and not widely used security option used for
integrity, availability, and confidentiality. It is the security option in which the person
has to give its digital signature for the authorization process rather than using a
password or anything else. It would be the best way to secure your data if it would be
used widely and perfectly. It’s basically used for the business purposes in the e-
commerce section to provide a perfect authorization and authentication (Carter,
2012):-
These were some of the security goals which should be achieved during the business and
technical areas. By achieving these goals it provides full protection against the intruders
or the malicious person or different threats.
There are many business and government organizations in the world which have it
departments. These it department deals with most of the security issues that the
organization is facing. If there is any security breach or any security issues arise in the
organization is being faced solved by this it departments. Solve in that way that it doesn’t
arise again with the same problem about the same security issue.
This was the main objective of the network security behind the business and technical
field (Mitchell, 2017).
Assumptions
It is very important for each and every organization to take some of the assumptions for
the security of those organizations. With the help of these assumptions, it makes it easier
to increase the security need of an organization. By proper surveying about the problems
6
authorization methods are kept on the network which allows only those authorized
person who has the clearance to see their confidential details.
2) Integrity- it is made by both the confidentiality and availability of the data. The main
feature of the integrity is that not only it’s authorized the data but also checks that the
data which is stored on the network is not changed by any authorized person or saved
in such a way that it is not contaminated.
3) Availability- means that the data which is stored on the website or on the internet can
be only accessed by that person or that person who have the authorization for it.
Availability means that only those have authorization can check its data whereas
others who don’t have authorization would be blocked by the security on the network.
4) Nonrepudiation- is the newest and most and not widely used security option used for
integrity, availability, and confidentiality. It is the security option in which the person
has to give its digital signature for the authorization process rather than using a
password or anything else. It would be the best way to secure your data if it would be
used widely and perfectly. It’s basically used for the business purposes in the e-
commerce section to provide a perfect authorization and authentication (Carter,
2012):-
These were some of the security goals which should be achieved during the business and
technical areas. By achieving these goals it provides full protection against the intruders
or the malicious person or different threats.
There are many business and government organizations in the world which have it
departments. These it department deals with most of the security issues that the
organization is facing. If there is any security breach or any security issues arise in the
organization is being faced solved by this it departments. Solve in that way that it doesn’t
arise again with the same problem about the same security issue.
This was the main objective of the network security behind the business and technical
field (Mitchell, 2017).
Assumptions
It is very important for each and every organization to take some of the assumptions for
the security of those organizations. With the help of these assumptions, it makes it easier
to increase the security need of an organization. By proper surveying about the problems
6
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
that can come in the way is not solved by making assumptions and probability that it can
occur.
Some of the assumptions taken in an organization are:
Assumptions that authentication is enough: assumptions are taken that the
security over login condition in the account or in laptops is enough. If there is
security on the authentication is put, it is assumed that no more security
required to put through further. Which is not true, further security is also
needed because only one security over authentication is not enough. There is
much another security breach through which threats can enter the network.
The second assumption that some organization or person take is that firewall is
enough for the security purposes. They think that the firewall which creates a
wall between the network and the user through which security breaches are
made difficult but they do not understand that it not enough for security
purpose that is so not true. It is required for other securities also. Firewall is not
enough for the security purposes because it only protects the organization only
from some of the security threats not all. So it is required to make the security
strong and make sure that all the security threats are concerned but not only
one(Mitchell, 2017).
Reactive posture is one of the best useful assumptions that are taken for the
security purpose. As the user has known that only authentication and firewall is
not enough for the security threats so it uses reactive posture.in a reactive
posture, it takes out the holes in the security and rectifies it before any hacker
or threat attack through it. It is one of the best ways because it takes out before
only what are the things which are remaining in securing the network so that no
lope holes are there. If there is any then it should notify and then rectify the
damage.
The last one and the final one is that whenever a security breach is going to
occur or any threats which are going to occur the security will notify the user
before only through which the user can know what are threats which are going
to attack o him or her during networking. By this notification, the user can
easily outcome this threat and rectify the loopholes which he did not know it
before. It is one of the best assumptions because every time threats are going to
come the user will come to know beforehand and the user can upgrade its
7
occur.
Some of the assumptions taken in an organization are:
Assumptions that authentication is enough: assumptions are taken that the
security over login condition in the account or in laptops is enough. If there is
security on the authentication is put, it is assumed that no more security
required to put through further. Which is not true, further security is also
needed because only one security over authentication is not enough. There is
much another security breach through which threats can enter the network.
The second assumption that some organization or person take is that firewall is
enough for the security purposes. They think that the firewall which creates a
wall between the network and the user through which security breaches are
made difficult but they do not understand that it not enough for security
purpose that is so not true. It is required for other securities also. Firewall is not
enough for the security purposes because it only protects the organization only
from some of the security threats not all. So it is required to make the security
strong and make sure that all the security threats are concerned but not only
one(Mitchell, 2017).
Reactive posture is one of the best useful assumptions that are taken for the
security purpose. As the user has known that only authentication and firewall is
not enough for the security threats so it uses reactive posture.in a reactive
posture, it takes out the holes in the security and rectifies it before any hacker
or threat attack through it. It is one of the best ways because it takes out before
only what are the things which are remaining in securing the network so that no
lope holes are there. If there is any then it should notify and then rectify the
damage.
The last one and the final one is that whenever a security breach is going to
occur or any threats which are going to occur the security will notify the user
before only through which the user can know what are threats which are going
to attack o him or her during networking. By this notification, the user can
easily outcome this threat and rectify the loopholes which he did not know it
before. It is one of the best assumptions because every time threats are going to
come the user will come to know beforehand and the user can upgrade its
7
security system so that he or she doesn’t face any of these attacks. But some of
the attacks which are new to the networking area will not notify you and can
attack, so to avoid this situation you should always update the software or
applications so that no new cyber threats can bring harm to you.
Risk Analysis
Asset Identification and Assessment
The asset identification and assessment comes under risk assessment. In fact, the initial
process in risk management is a risk assessment. In order to determine the risk associated
with the IT system and also if there are any potential threats then the organization uses risk
assessment. The risk assessment helps in determining the extent to which the IT system of an
organization is affected and helps in estimating the right techniques also with appropriate
technologies in order to overcome the risk.
A risk can be defined as the result of a potential threat that can have an adverse impact on an
organization and its work. A risk is determined by multiplying threat with asset and
vulnerability.
Risk = Threat x Asset x Vulnerability
In identification and analysis of asset in risk assessment, the assets can be divided into two
parts:
Physical Assets
Non-physical Assets
In this, the assets are characterized according to their type whether physical or non-physical.
In physical assets include all the hardware like the computer desktop, printer, scanner, LAN
and WAN wires, etc. The non-physical assets include all the system related data, data, and
information, system interfaces, etc. The system related information of assets helps in defining
the scope the effort, the identification of the IT system and providing information that is
important for defining risk. A deep understanding of the system’s environment is necessary
for the identification of system related risks (Mitchell, 2017).
Physical assets
The physical assets in the risk assessment and analysis are given below:
Hardware
Computer/ Desktop
8
the attacks which are new to the networking area will not notify you and can
attack, so to avoid this situation you should always update the software or
applications so that no new cyber threats can bring harm to you.
Risk Analysis
Asset Identification and Assessment
The asset identification and assessment comes under risk assessment. In fact, the initial
process in risk management is a risk assessment. In order to determine the risk associated
with the IT system and also if there are any potential threats then the organization uses risk
assessment. The risk assessment helps in determining the extent to which the IT system of an
organization is affected and helps in estimating the right techniques also with appropriate
technologies in order to overcome the risk.
A risk can be defined as the result of a potential threat that can have an adverse impact on an
organization and its work. A risk is determined by multiplying threat with asset and
vulnerability.
Risk = Threat x Asset x Vulnerability
In identification and analysis of asset in risk assessment, the assets can be divided into two
parts:
Physical Assets
Non-physical Assets
In this, the assets are characterized according to their type whether physical or non-physical.
In physical assets include all the hardware like the computer desktop, printer, scanner, LAN
and WAN wires, etc. The non-physical assets include all the system related data, data, and
information, system interfaces, etc. The system related information of assets helps in defining
the scope the effort, the identification of the IT system and providing information that is
important for defining risk. A deep understanding of the system’s environment is necessary
for the identification of system related risks (Mitchell, 2017).
Physical assets
The physical assets in the risk assessment and analysis are given below:
Hardware
Computer/ Desktop
8
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Laptop
Printer
Scanner
Shredder
Beamer
Connecting wires
Non-physical Assets
The non-physical assets in the risk assessment and analysis are given below:
Software
Data and Information
System Interfaces
Risks
The risk may be defined as the net negative impact of exercise or weakness or vulnerability,
taking into consideration both the probability of the occurrence and its impact. A risk can be
defined as the result of a potential threat that can have an adverse impact on an organization
and its work.
Individual Risk Analysis of Assets
The assessment of the risk of assets is very important. It helps the organization to determine
the extent of the risk, its impact and also it helps in finding the appropriate methods to avoid
that risk.
The risk assessment contains a total 9 steps are these are:
• Characterization of the system
• Identification of the threat
• Identification of vulnerability
• Analysis of Control
• Determination of likelihood
• Analysis of the impact
• Determination of the risk
• Recommendations regarding the control
• Documentation of the result
9
Printer
Scanner
Shredder
Beamer
Connecting wires
Non-physical Assets
The non-physical assets in the risk assessment and analysis are given below:
Software
Data and Information
System Interfaces
Risks
The risk may be defined as the net negative impact of exercise or weakness or vulnerability,
taking into consideration both the probability of the occurrence and its impact. A risk can be
defined as the result of a potential threat that can have an adverse impact on an organization
and its work.
Individual Risk Analysis of Assets
The assessment of the risk of assets is very important. It helps the organization to determine
the extent of the risk, its impact and also it helps in finding the appropriate methods to avoid
that risk.
The risk assessment contains a total 9 steps are these are:
• Characterization of the system
• Identification of the threat
• Identification of vulnerability
• Analysis of Control
• Determination of likelihood
• Analysis of the impact
• Determination of the risk
• Recommendations regarding the control
• Documentation of the result
9
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Characterisation of the System- For the assessment of risk in a system the scope of the
effort needs to be defined. The IT system’s limits are recognized in this step. Characterisation
of an IT system determines the extent of the assessment of the risk effort gives information
necessary for the risk and defines the boundaries of operational authorization. A deep
understanding related to the system setting is necessary for the identification of system
related risks.
Information relating to the system recognizing the risk relating to the IT system- It
needs a thorough understanding of the system’s processing system. This system related
information can be classified into following types:
• Hardware Software
• System interfaces
• Data and information
• A person using and supporting IT system
• System mission
• System and data critical ability
• System and data sensitivity
Other than the above-mentioned types, additional system-related information types are:
The functional requirements of the IT system
• Users of the system. This includes users that present support to the IT system in terms
of technicality, users that employ IT system to perform functions for their business,
etc.
• System security policies governing the IT system like laws and organizational policies
System security architecture
• A current network topology that includes a network diagram
• Protection of information stored. It keeps the system and data safe and protects its
confidentiality and integrity.
• The flow of information that is related to the IT system. This includes input and
output flow diagram of the system, interfaces of the system, etc.
• Technical controls that are used in IT system. This includes access control, encryption
method, audit, etc.
• Management controls that are used in the IT system like the behavior rules, planning
of the security, etc.
10
effort needs to be defined. The IT system’s limits are recognized in this step. Characterisation
of an IT system determines the extent of the assessment of the risk effort gives information
necessary for the risk and defines the boundaries of operational authorization. A deep
understanding related to the system setting is necessary for the identification of system
related risks.
Information relating to the system recognizing the risk relating to the IT system- It
needs a thorough understanding of the system’s processing system. This system related
information can be classified into following types:
• Hardware Software
• System interfaces
• Data and information
• A person using and supporting IT system
• System mission
• System and data critical ability
• System and data sensitivity
Other than the above-mentioned types, additional system-related information types are:
The functional requirements of the IT system
• Users of the system. This includes users that present support to the IT system in terms
of technicality, users that employ IT system to perform functions for their business,
etc.
• System security policies governing the IT system like laws and organizational policies
System security architecture
• A current network topology that includes a network diagram
• Protection of information stored. It keeps the system and data safe and protects its
confidentiality and integrity.
• The flow of information that is related to the IT system. This includes input and
output flow diagram of the system, interfaces of the system, etc.
• Technical controls that are used in IT system. This includes access control, encryption
method, audit, etc.
• Management controls that are used in the IT system like the behavior rules, planning
of the security, etc.
10
• Operational controls that are used in the IT system. This includes back-up, personal
security, contingency, controls that segregate user functions, maintenance of the
system, access for privilege user as compared to privilege for standard user, recovery,
and resumptions etc.
• The environment of the physical security of the IT system like policies regarding data,
security facility, etc.
• If a system is in its design or initial phase, the design helps in obtaining system related
information. The important security rules and features of an IT system must be
defined for its development and for its better future. The security plan and the design
documents of the system make available to us information that is important and useful
to us regarding the security that comes with IT system development.
• For an IT system that is already in operation, the user data and information can be
collected from documented and undocumented procedure. The system’s description
may be based on the future security plans of the IT system or by the security provided
by the infrastructure of the IT system (NixCraft, 2017).
Information Gathering Technique- There are many ways in which information related to
the IT system can be gathered. Some of the most common techniques for gathering the
information are given below:
Questionnaire- The person appointed for the task of information gathering can be made
questionnaire based on the operational and management controls that are in use or are
planned to be used in the future for the IT system. The questionnaire must have technical as
well as a non-technical question so that it could be distributed to technical as well as the non-
technical staff. This helps in understanding the risk at technical as well as non-technical level.
Onsite Interviews- The person appointed for the person appointed for this task can take
onsite interviews of the people working in order to gather important information related to the
IT system. If the system is in design phase then the onsite interview will be face-to-face in
order to get an opportunity for the evaluation of the physical setting of the IT system.
Review of the Document - The review of documents such as a security-related document,
directives, legislative documents, previous reports, system test result reports, etc. can provide
useful and important information regarding the security controls about the IT system of the
organization.
Use of Automated Scanning Tool- In order to collect information regarding the system
efficiently some technical proactive methods can be used like the tool used for network
11
security, contingency, controls that segregate user functions, maintenance of the
system, access for privilege user as compared to privilege for standard user, recovery,
and resumptions etc.
• The environment of the physical security of the IT system like policies regarding data,
security facility, etc.
• If a system is in its design or initial phase, the design helps in obtaining system related
information. The important security rules and features of an IT system must be
defined for its development and for its better future. The security plan and the design
documents of the system make available to us information that is important and useful
to us regarding the security that comes with IT system development.
• For an IT system that is already in operation, the user data and information can be
collected from documented and undocumented procedure. The system’s description
may be based on the future security plans of the IT system or by the security provided
by the infrastructure of the IT system (NixCraft, 2017).
Information Gathering Technique- There are many ways in which information related to
the IT system can be gathered. Some of the most common techniques for gathering the
information are given below:
Questionnaire- The person appointed for the task of information gathering can be made
questionnaire based on the operational and management controls that are in use or are
planned to be used in the future for the IT system. The questionnaire must have technical as
well as a non-technical question so that it could be distributed to technical as well as the non-
technical staff. This helps in understanding the risk at technical as well as non-technical level.
Onsite Interviews- The person appointed for the person appointed for this task can take
onsite interviews of the people working in order to gather important information related to the
IT system. If the system is in design phase then the onsite interview will be face-to-face in
order to get an opportunity for the evaluation of the physical setting of the IT system.
Review of the Document - The review of documents such as a security-related document,
directives, legislative documents, previous reports, system test result reports, etc. can provide
useful and important information regarding the security controls about the IT system of the
organization.
Use of Automated Scanning Tool- In order to collect information regarding the system
efficiently some technical proactive methods can be used like the tool used for network
11
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 54
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.