| Javascript Feeds RSS Feed Security Dashboard | SearchSecurity.com |
|
The Value of Risk Assessment - A Case Study This paper will examine the application of the security risk assessment process to a rather complex project from the initial phases of its design prior to security risk assessment to its production state. It will discuss how risks were assessed and identified and show how the risk assessment process changed the final outcome of the project. We will also look at the impact that risk assessment had on the project and identify lessons learned. Security risk assessment is often a tricky business. Striking just the right balance between the high price of security and business needs is not an easy task. The process is often subjective and hard to accomplish, but if implemented correctly can greatly improve the overall security posture of a company, one project at a time.
03/28/2004
|
|
Fortifying My Doghouse while Thieves Steal My Computer In the last few years we thought that fortifying our network perimeter would keep all the bad people out of our computers and the data on our networks. What we forgot to consider are changes in methods from the threats of accidents by insiders, insiders that abuse their legal access for malicious intent or those outside bad guys and gals that compromise user accounts and log on as your inside personnel.
03/24/2004
|
|
Clear Text Password Risk Assessment Documentation The risks of sending clear text passwords on an enterprise network may be clear to you as a Security Officer or Security Analyst; but the security implications are not always clear to senior management or business leaders. This paper will present a risk assessment on sending clear text passwords across an enterprise network.
03/24/2004
|
|
Application Security, Information Assurance’s Neglected Stepchild - A Blueprint for Risk Assessment The best defensive weapon against all threat areas: external or internal, intentional or accidental, is the Information Assurance audit. A comprehensive Information Assurance audit will cover all aspects of a firm’s Information Technology operations ranging from assessments of network server vulnerability to physical plant security and disaster recovery planning. In this paper we will focus on how to properly assess the security of application software.
03/24/2004
|
|
A Perspective on Threats in the Risk Analysis Process We have looked at one of the fundamental building blocks in the Risk Analysis process. Asking these key questions, what threats or risks will affect the asset, what is the likelihood of the threats happening, and what impact or effect would the loss of the asset have on the operation of the organization or its personnel, can determine if the risk analysis process will be a success or failure. We have also shown that applying general and economic risk factors can also aid in ranking key assets. We need to keep in mind that these are only the first steps that are taken in the risk analysis process, however by applying this methodology we can help insure that assets that critical to the organization and vulnerable to threats will be identified.
03/24/2004
|
|
An Overview of Threat and Risk Assessment The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment. There are many methodologies that exist today on how to perform a risk and threat assessment. There are some that are "open-source" and those that are proprietary. The outcome or objective of a threat and risk assessment is to provide recommendations that maximize the protection of confidentiality, integrity and availability while still providing functionality and usability. In order to best determine the answers to these questions a company or organization can perform a threat and risk assessment. This can be accomplished using either internal or external resources. It is important that the risk assessment be a collaborative process, without the involvement of the various organizational levels the assessment can lead to a costly and ineffective security measure.
By James Bayne, 03/24/2004
|
|
A qualitative risk analysis and management tool – CRAMM Facing the emerging challenges of the Internet era, managers and information security professionals in business and government should manage specific risks to their organizations to ensure efficient operations. This paper explains basic components of risk analysis and management processes and mentions different methodologies and approaches. It then describes and discusses CRAMM, as an automated tool based on qualitative risk assessment methodology, by going through the stages of a CRAMM review, i.e. asset identification and valuation, threat and vulnerability assessment, and countermeasure recommendation. Raising organizational awareness CRAMM is a comprehensive and flexible tool especially for justifying prioritized countermeasures at a managerial level, needing, however, qualified and experienced practitioners for efficient results.
03/24/2004
|
|
Quantitative Risk Analysis Step-By-Step In this paper, the use of a centralized data table containing reference data and estimating techniques for some of the key variables for determining risks and losses will help to present a stronger case for security improvement to management. A discussion of methods for the valuation of tangible and intangible assets will help to quantify the largest information security risk in the U.S., which is theft of proprietary information (Computer Security Institute). Additional focus is placed on important risk areas such as internet security, overseas security concerns, and laptop security. This paper should also help an IT security consultant to obtain new business through the creation of a well-written quantitative risk analysis.
03/24/2004
|
|
Security Assessment Guidelines for Financial Institutions The paper contains an introduction and two sections. The first section will discuss how to set up a risk assessment and security evaluation program suitable for Financial Institutions. The discussion will include development of the standards, methods, processes and procedures identified for risk assessment, security planning and reviews. The second section will briefly illustrate these concepts by evaluating two fictional MS-SQL Server applications. One application will contain mission critical business data for internal use only and available only on the “trusted” network. The other MS-SQL application will be a Web-based Internet site run by a Service Provider. The methodology discussed can be included during systems development and used to gain approval of review tools and techniques after the move into production.
03/24/2004
|
|
Application of the NSA INFOSEC Assessment Methodology This paper will look at the structure of the NSA INFOSEC Assessment Methodology and provide an example of the use of the IAM for a fictitious firm, GIAC International Schools, Inc.
03/24/2004
|
|
Page: 1 2 3 |
