Security Evaluation on network
Security evaluation needed to prevent and protect information from unauthorized access in our network. Information security is concerned of protecting confidentiality, integrity and availability of information, which also known as CIA Triad. CIA Triad forms the core principles of information security.
Confidentiality means information should be accessed only to whom have the right acess to it. Integrity means information should be modified only to whom have authorized. Availability means information should be available when its needed.
We have to understand about the weaknesses in our network, using framework such as ISO/IEC 27002:2005. The weakness in the system called vulnerability. Vulnerability can cause harm called threat. Threat not always can cause corruptness of the system but from the threat possibly occur attack that can harm security element of the system. Risk is the possibility that something bad will happen to informational asset.
The ISO/IEC 27002:2005,Code of practice for information security management recommends the following be examined during a risk assessment:
- security policy,
- organization of information security,
- asset management,
- human resources security,
- physical and environmental security,
- communications and operations management,
- access control,
- information systems acquisition, development and maintenance,
- information security incident management,
- business continuity management, and
- regulatory compliance.
In broad terms the risk management process consists of:
- Identification of assets and estimating their value. Include: people, buildings, hardware, software, data (electronic, print, other), supplies.
- Conduct a threat assessment. Include: Acts of nature, acts of war, accidents, malicious acts originating from inside or outside the organization.
- Conduct a vulnerability assessment, and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security, quality control, technical security.
- Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis.
- Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset.
- Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity.