Process for risk assessment
1 / 7

Assignment 1 The K-Glove Compagny - PowerPoint PPT Presentation

  • Uploaded on

Process for Risk Assessment. Specification of the object (Business unit, one system) Identify assets which need protection (data, systems, network, a server) Identify threats (incidents)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Assignment 1 The K-Glove Compagny' - LionelDale

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Process for risk assessment l.jpg
Process for Risk Assessment

  • Specification of the object (Business unit, one system)

  • Identify assets which need protection (data, systems, network, a server)

  • Identify threats (incidents)

  • Identify potential damage (harm) to the company which can be exposed as well as the frequency of such a threat. Potential Business Impact

  • Identify the level of threat

  • Identify the control enviroment

  • Identify the level of risk (the threat level against the control enviroments)

The k glove compagny l.jpg
The K-Glove Compagny

  • Copenhagen (location C) – 250 employees

    • Sale

    • Marketing

    • Development

    • Administration

  • Copenhagen (location A) – 100 employees

    • Distribution

    • Stock (Storeroom)

  • A location B in China – ? employees

    • Production

The k glove serverfarm l.jpg
The K-Glove Serverfarm

  • Copenhagen (location C)

    • Exchange

    • Sql-server

    • Citrix

    • Windows 2000 File and print –server

    • CRM-system

    • Web-server

  • Copenhagen (location A)

    • Printers

    • Maybe modem connection to Internet

    • Productionequiment connected to the Intranet

  • A location in China

    • Internet connection for e-mails

The k glove network l.jpg
The K-Glove Network

  • Copenhagen (location C)

    • Firewall

      • Internet connection

      • Web-site connected to the DMZ1

      • E-mail proxy-server and antivirus-shield connected to DMZ2

      • VPN box DMZ3

      • DMZ-environment use a LAN switch with five VLANs

    • WLAN link-to-link connection to location Copenhagen (location B)

    • LAN Fully Switched to the desktop

    • Dial-in solution with free number connected direct to Active Directory

  • Copenhagen (location A)

    • HUB based solution

    • WLAN

  • A location in China

    • ?

The k glove it security l.jpg
The K-Glove IT Security

  • Firewall

    • Everything is allowed from inside out

    • Nothing is allowed from outside to inside, only port 25, 80 and 443

    • From inside to DMZ is unknown

    • No use of the logfile

  • LAN

    • Password to all LAN boxes is identical

    • PDS cabling and Coax

    • Radio Point connected to HUB

    • Radio Point uses standard configuration with WEB-encryption

  • No IT Security Policy

  • The production equipment has static password (hard encoded)

The k glove case l.jpg
The K-Glove Case

  • Does the IT security fulfil the ISO 1-7799?

  • Choose an area to inspect, for example WLAN link-2-link connection

  • Follow the process for Risk Assessment

  • Use the form and fill in the observations

More facts to work with l.jpg
More facts to work with

  • System administrator is responsible for security

  • Backup is done (but not systematic) to tapes and cd's. Backups are stored on-site, there is limited testing of the backups. Only servers are backed up.

  • The server room is a normal room with access from the system administrators office.

  • Original software is stored in a safe.

  • The precise network setup is not known by the it-staff. Users have full internet access (outgoing).

  • Users are responsible for their own passwords.

  • Users sometimes store their documents on the local machines.

  • No documents or systems are encrypted or integrity protected.

  • Sales people has access from outside to all product information using the dial-in access.

  • The economy system (accounting, salaries, etc.) are on the database server. The access is password protected, but the password is shared among all the users of the system.

  • Plans for new products are distributed to A and B