process for risk assessment l.
Skip this Video
Loading SlideShow in 5 Seconds..
Process for Risk Assessment PowerPoint Presentation
Download Presentation
Process for Risk Assessment

Loading in 2 Seconds...

play fullscreen
1 / 7

Process for Risk Assessment - PowerPoint PPT Presentation

  • Uploaded on

Process for Risk Assessment. Specification of the object (Business unit, one system) Identify assets which need protection (data, systems, network, a server) Identify threats (incidents)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Process for Risk Assessment' - LionelDale

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
process for risk assessment
Process for Risk Assessment
  • Specification of the object (Business unit, one system)
  • Identify assets which need protection (data, systems, network, a server)
  • Identify threats (incidents)
  • Identify potential damage (harm) to the company which can be exposed as well as the frequency of such a threat. Potential Business Impact
  • Identify the level of threat
  • Identify the control enviroment
  • Identify the level of risk (the threat level against the control enviroments)
the k glove compagny
The K-Glove Compagny
  • Copenhagen (location C) – 250 employees
    • Sale
    • Marketing
    • Development
    • Administration
  • Copenhagen (location A) – 100 employees
    • Distribution
    • Stock (Storeroom)
  • A location B in China – ? employees
    • Production
the k glove serverfarm
The K-Glove Serverfarm
  • Copenhagen (location C)
    • Exchange
    • Sql-server
    • Citrix
    • Windows 2000 File and print –server
    • CRM-system
    • Web-server
  • Copenhagen (location A)
    • Printers
    • Maybe modem connection to Internet
    • Productionequiment connected to the Intranet
  • A location in China
    • Internet connection for e-mails
the k glove network
The K-Glove Network
  • Copenhagen (location C)
    • Firewall
      • Internet connection
      • Web-site connected to the DMZ1
      • E-mail proxy-server and antivirus-shield connected to DMZ2
      • VPN box DMZ3
      • DMZ-environment use a LAN switch with five VLANs
    • WLAN link-to-link connection to location Copenhagen (location B)
    • LAN Fully Switched to the desktop
    • Dial-in solution with free number connected direct to Active Directory
  • Copenhagen (location A)
    • HUB based solution
    • WLAN
  • A location in China
    • ?
the k glove it security
The K-Glove IT Security
  • Firewall
    • Everything is allowed from inside out
    • Nothing is allowed from outside to inside, only port 25, 80 and 443
    • From inside to DMZ is unknown
    • No use of the logfile
  • LAN
    • Password to all LAN boxes is identical
    • PDS cabling and Coax
    • Radio Point connected to HUB
    • Radio Point uses standard configuration with WEB-encryption
  • No IT Security Policy
  • The production equipment has static password (hard encoded)
the k glove case
The K-Glove Case
  • Does the IT security fulfil the ISO 1-7799?
  • Choose an area to inspect, for example WLAN link-2-link connection
  • Follow the process for Risk Assessment
  • Use the form and fill in the observations
more facts to work with
More facts to work with
  • System administrator is responsible for security
  • Backup is done (but not systematic) to tapes and cd's. Backups are stored on-site, there is limited testing of the backups. Only servers are backed up.
  • The server room is a normal room with access from the system administrators office.
  • Original software is stored in a safe.
  • The precise network setup is not known by the it-staff. Users have full internet access (outgoing).
  • Users are responsible for their own passwords.
  • Users sometimes store their documents on the local machines.
  • No documents or systems are encrypted or integrity protected.
  • Sales people has access from outside to all product information using the dial-in access.
  • The economy system (accounting, salaries, etc.) are on the database server. The access is password protected, but the password is shared among all the users of the system.
  • Plans for new products are distributed to A and B