1 / 7

Process for Risk Assessment

This document outlines the structured process for risk assessment for K-Glove Company, detailing asset identification, threat analysis, and potential business impact. The assessment covers both Copenhagen and the China locations, focusing on critical assets like servers, networks, and production equipment. It evaluates current IT security measures against standards such as ISO 17799, highlighting vulnerabilities like shared passwords, lack of encryption, and inconsistent backup procedures. The aim is to establish a robust security framework that ensures effective protection against potential threats.

delilah-contreras
Télécharger la présentation

Process for Risk Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Process for Risk Assessment • Specification of the object (Business unit, one system) • Identify assets which need protection (data, systems, network, a server) • Identify threats (incidents) • Identify potential damage (harm) to the company which can be exposed as well as the frequency of such a threat. Potential Business Impact • Identify the level of threat • Identify the control enviroment • Identify the level of risk (the threat level against the control enviroments)

  2. The K-Glove Compagny • Copenhagen (location C) – 250 employees • Sale • Marketing • Development • Administration • Copenhagen (location A) – 100 employees • Distribution • Stock (Storeroom) • A location B in China – ? employees • Production

  3. The K-Glove Serverfarm • Copenhagen (location C) • Exchange • Sql-server • Citrix • Windows 2000 File and print –server • CRM-system • Web-server • Copenhagen (location A) • Printers • Maybe modem connection to Internet • Productionequiment connected to the Intranet • A location in China • Internet connection for e-mails

  4. The K-Glove Network • Copenhagen (location C) • Firewall • Internet connection • Web-site connected to the DMZ1 • E-mail proxy-server and antivirus-shield connected to DMZ2 • VPN box DMZ3 • DMZ-environment use a LAN switch with five VLANs • WLAN link-to-link connection to location Copenhagen (location B) • LAN Fully Switched to the desktop • Dial-in solution with free number connected direct to Active Directory • Copenhagen (location A) • HUB based solution • WLAN • A location in China • ?

  5. The K-Glove IT Security • Firewall • Everything is allowed from inside out • Nothing is allowed from outside to inside, only port 25, 80 and 443 • From inside to DMZ is unknown • No use of the logfile • LAN • Password to all LAN boxes is identical • PDS cabling and Coax • Radio Point connected to HUB • Radio Point uses standard configuration with WEB-encryption • No IT Security Policy • The production equipment has static password (hard encoded)

  6. The K-Glove Case • Does the IT security fulfil the ISO 1-7799? • Choose an area to inspect, for example WLAN link-2-link connection • Follow the process for Risk Assessment • Use the form and fill in the observations

  7. More facts to work with • System administrator is responsible for security • Backup is done (but not systematic) to tapes and cd's. Backups are stored on-site, there is limited testing of the backups. Only servers are backed up. • The server room is a normal room with access from the system administrators office. • Original software is stored in a safe. • The precise network setup is not known by the it-staff. Users have full internet access (outgoing). • Users are responsible for their own passwords. • Users sometimes store their documents on the local machines. • No documents or systems are encrypted or integrity protected. • Sales people has access from outside to all product information using the dial-in access. • The economy system (accounting, salaries, etc.) are on the database server. The access is password protected, but the password is shared among all the users of the system. • Plans for new products are distributed to A and B

More Related