CHAPTER
7
Information
Security Process
93
Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use.
I
nformation security is a proactive process to manage risk. Unlike a reactive model in
which an organization experiences an incident before taking steps to protect its infor
-
mation resources, the proactive model takes steps prior to the occurrence of a breach.
In the reactive model, the total cost of security is unknown:
Total Cost of Security = Cost of the Incident + Cost of Countermeasures
Unfortunately, the cost of an incident is unknown until it actually occurs. Since the or
-
ganization has taken no steps before the incident has occurred, there is no way to know
what the cost of an incident might be. Therefore, the risk to the organization is unknown
until an incident has occurred.
Fortunately, organizations can reduce the cost of information security. Proper planning
and risk management will drastically reduce, if not eliminate, the cost of an incident. If the
organization had taken the proper steps before the incident occurred, and the incident
were prevented, the cost would have been:
Cost of Information Security = Cost of Countermeasures
Note also that
Cost of the Incident + Cost of Countermeasures >> Cost of Countermeasures
Taking the proper steps before an incident occurs is a proactive approach to infor-
mation security. In this case, the organization identifies its vulnerabilities and deter-
mines the risk to the organization if an incident were to occur. The organization can
now choose countermeasures that are cost-effective. This is the first step in the process
of information security.
The process of information security (see Figure 7-1) is a continual process comprised

of five key phases:
▼
Assessment
■
Policy
■
Implementation
■
Training
▲
Audit
Individually, each phase does bring value to an organization; however, only when
taken together will they provide the foundation upon which an organization can effec
-
tively manage the risk of an information security incident.
94
Network Security: A Beginner’s Guide
Chapter 7: Information Security Process
95
ASSESSMENT
The information security process begins with an assessment. An assessment answers the
basic questions of “Where are we?” and “Where are we going?” An assessment is used to
determine the value of the information assets of an organization, the size of the threats to
and vulnerabilities of that information, and the importance of the overall risk to the orga-
nization. This is important simply because without knowing the current state of the risk
to an organization’s information assets, it is impossible for you to effectively implement a
proper security program to protect those assets.
This is accomplished by following the risk management approach. Once the risk has
been identified and quantified, you can select cost-effective countermeasures to mitigate
that risk.

The goals of an information security assessment are as follows:
▼
To determine the value of the information assets
■
To determine the threats to the confidentiality, integrity, availability, and/or
accountability of those assets
■
To determine the existing vulnerabilities inherent in the current practices of the
organization
■
To identify the risks posed to the organization with regard to information assets
■
To recommend changes to current practice that reduce the risks to an
acceptable level
▲
To provide a foundation on which to build an appropriate security plan
Figure 7-1.
The process of information security
96
Network Security: A Beginner’s Guide
These goals do not change with the type of assessment performed by the organiza
-
tion. However, the extent to which each goal is met will depend on the scope of the work.
There are five general types of assessments:
▼
System-Level Vulnerability Assessment Computer systems are examined
for known vulnerabilities and elementary policy compliance.
■
Network-Level Risk Assessment The entire computer network and
information infrastructure of the organization is assessed for risk areas.

■
Organization-Wide Risk Assessment The entire organization is analyzed
to identify direct threats to its information assets. Vulnerabilities are identified
throughout the organization in the handling of information. All forms of
information are examined including electronic and physical.
■
Audit Specific policies are examined and the organization’s compliance with
them is reviewed.
▲
Penetration Test The organization’s ability to respond to a simulated
intrusion is examined. This type of assessment is performed only against
organizations with mature security programs.
For this discussion, we will assume that audits and penetration tests will be covered
during the audit phase of the process. Both of these types of assessments imply some pre-
vious understanding of risks and a previous implementation of security practices and
risk management. Neither type of assessment is appropriate when an organization is at-
tempting to understand the current state of security within the organization.
You should make assessments by gathering information from three primary sources:
▼ Employee interviews
■
Document review
▲
Physical inspection
Interviews must be with appropriate employees who will provide information on the
existing security systems and the way the organization functions. A good mixture of staff
and management positions is critical. Interviews should not be adversarial. The inter
-
viewer should attempt to put the subject at ease by explaining the purpose of the assess
-
ment and how the subject can assist in protecting the organization’s information assets.

Likewise, the subject must be assured that none of the information provided will be at
-
tributed directly to him or her.
You should also review all existing security-relevant policies as well as key configura
-
tion documents. The examination should not be limited to only those documents that are
complete. Documents in draft form should also be examined.
The last part of information gathering is a physical inspection of the organization’s fa
-
cility. If possible, inspect all the organization’s facilities.
Chapter 7: Information Security Process
97
When conducting an assessment of an organization, examine the following areas:
▼
The organization’s network
■
The organization’s physical security measures
■
The organization’s existing policies and procedures
■
Precautions the organization has put in place
■
Employee awareness of security issues
■
Employees of the organization
■
The workload of the employees
■
The attitude of the employees
■

Employee adherence to existing policies and procedures
▲
The business of the organization
Network
The organization’s network normally provides the easiest access points to information
and systems. When examining the network, begin with a network diagram and examine
each point of connectivity.
NOTE:
Network diagrams are very often inaccurate or outdated, therefore it is imperative that dia-
grams are not the only source of information used to identify critical network components.
The locations of servers, desktop systems, Internet access, dial-in access, and connec-
tivity to remote sites and other organizations should all be shown. From the network dia-
gram and discussions with network administrators, gather the following information:
▼
Types and numbers of systems on the network
■
Operating systems and versions
■
Network topology (switched, routed, bridged, and so on)
■
Internet access points
■
Internet uses
■
Type, number, and versions of any firewalls
■
Dial-in access points
■
Type of remote access
■

Wide area network topology
■
Access points at remote sites