Introduction to the NSA Infosec Assessment Methodology (IAM)
The NSA Infosec Assessment is conducted by a team of individuals who review the information system security posture of an organization to identify potential vulnerabilities and recommending steps for eliminating or mitigating those vulnerabilities. The IAM consists of 18 core subjects; however these may be modified to ensure the assessment addresses any organization specific elements.
Read the Article
|
An Introduction to Information Risk Assessment
An understanding of risk and the application of risk assessment methodology is essential to being able to efficiently and effectively create a secure computing environment. Unfortunately, this is still a challenging area for information professionals due to the rate of change in technology, the relatively recent advent and explosive growth of the Internet, and perhaps the prevalence of the attitude (or reality) that assessing risk and identifying return on investment is simply too hard to do. This has kept information systems and information systems security in the undesirable position of being unable to systematically identify and monetarily quantify security risks. This in turn has led to inconsistent and inappropriate applications of security solutions as well as either excessive or insufficient funding for such activities. Therefore this paper addresses the issue of risk with respect to modern information systems.
Read the Article
|
Data-Centric Quantitative Computer Security Risk Assessment
A quantitative risk assessment strategy is outlined with brief discussions of threat, risk categories and data classification. The differences between quantitative and qualitative assessments are specified with the conclusion that both methods have significant strengths and weaknesses. A quantitative method that spans both assessment types is then presented with rigorous analysis of impact of individual risk factors upon the overall risk to information. A method of easily organizing risk factors according to the quantitative method called a Risk Assessment Orgchart is explained and demonstrated. Careful manipulation of the method can make the analysis very sensitive to data classification and thus data-centric. A discussion on how to assign values to individual risk factors (scoring) should help users of the method be successful. Finally, a simple sample assessment is presented to tie all the analysis elements together and to further clarify the method.
Read the Article
|
Application of the NSA INFOSEC Assessment Methodology
This paper will look at the structure of the NSA INFOSEC Assessment Methodology and provide an example of the use of the IAM for a fictitious firm, GIAC International Schools, Inc.
Read the Article
|
Security Assessment Guidelines for Financial Institutions
The paper contains an introduction and two sections. The first section will discuss how to set up a risk assessment and security evaluation program suitable for Financial Institutions. The discussion will include development of the standards, methods, processes and procedures identified for risk assessment, security planning and reviews. The second section will briefly illustrate these concepts by evaluating two fictional MS-SQL Server applications. One application will contain mission critical business data for internal use only and available only on the "trusted" network. The other MS-SQL application will be a Web-based Internet site run by a Service Provider. The methodology discussed can be included during systems development and used to gain approval of review tools and techniques after the move into production.
Read the Article
|
Quantitative Risk Analysis Step-By-Step
In this paper, the use of a centralized data table containing reference data and estimating techniques for some of the key variables for determining risks and losses will help to present a stronger case for security improvement to management. A discussion of methods for the valuation of tangible and intangible assets will help to quantify the largest information security risk in the U.S., which is theft of proprietary information (Computer Security Institute). Additional focus is placed on important risk areas such as internet security, overseas security concerns, and laptop security. This paper should also help an IT security consultant to obtain new business through the creation of a well-written quantitative risk analysis.
Read the Article
|
A qualitative risk analysis and management tool - CRAMM
Facing the emerging challenges of the Internet era, managers and information security professionals in business and government should manage specific risks to their organizations to ensure efficient operations. This paper explains basic components of risk analysis and management processes and mentions different methodologies and approaches. It then describes and discusses CRAMM, as an automated tool based on qualitative risk assessment methodology, by going through the stages of a CRAMM review, i.e. asset identification and valuation, threat and vulnerability assessment, and countermeasure recommendation. Raising organizational awareness CRAMM is a comprehensive and flexible tool especially for justifying prioritized countermeasures at a managerial level, needing, however, qualified and experienced practitioners for efficient results.
Read the Article
|
An Overview of Threat and Risk Assessment
The purpose of this document is to provide an overview of the process involved in performing a threat and risk assessment. There are many methodologies that exist today on how to perform a risk and threat assessment. There are some that are "open-source" and those that are proprietary. The outcome or objective of a threat and risk assessment is to provide recommendations that maximize the protection of confidentiality, integrity and availability while still providing functionality and usability. In order to best determine the answers to these questions a company or organization can perform a threat and risk assessment. This can be accomplished using either internal or external resources. It is important that the risk assessment be a collaborative process, without the involvement of the various organizational levels the assessment can lead to a costly and ineffective security measure.
Read the Article
|
A Perspective on Threats in the Risk Analysis Process
We have looked at one of the fundamental building blocks in the Risk Analysis process. Asking these key questions, what threats or risks will affect the asset, what is the likelihood of the threats happening, and what impact or effect would the loss of the asset have on the operation of the organization or its personnel, can determine if the risk analysis process will be a success or failure. We have also shown that applying general and economic risk factors can also aid in ranking key assets. We need to keep in mind that these are only the first steps that are taken in the risk analysis process, however by applying this methodology we can help insure that assets that critical to the organization and vulnerable to threats will be identified.
Read the Article
|
Application Security, Information Assurance's Neglected Stepchild - A Blueprint for Risk Assessment
The best defensive weapon against all threat areas: external or internal, intentional or accidental, is the Information Assurance audit. A comprehensive Information Assurance audit will cover all aspects of a firm's Information Technology operations ranging from assessments of network server vulnerability to physical plant security and disaster recovery planning. In this paper we will focus on how to properly assess the security of application software.
Read the Article
|
