|
|
|
METHOD OF ANALYSIS Analysis methodologies may range from informal reviews of small office automation installations through formal risk assessments at major data centers. An informal security review can be used for systems with low-level risk designations. Formal security assessments should be required for high-level risk environments. Below is a further discussion of levels of protection. Automated Risk Assessment There are a considerable number of automated risk assessment packages, of varying capabilities and costs, available in the marketplace. These automated packages address large and medium facilities, applications, office automation, and LAN/WAN environments. Several packages contain general analyses of network vulnerabilities applicable to LANs. These packages have been found to have adequate coverage of LAN administration, protection of file servers, and PC/LAN backup practices and procedures. Questionnaires and Checklists The key to good security management is measurement — knowing where one is in relation to what needs to be done. Questionnaires are one way to gather relevant information from the user community. A PC/LAN questionnaire can be a simple, quick, and effective tool to support informal and formal risk assessments. For small, informal risk assessments, the PC/LAN questionnaire can be the main assessment tool. A checklist is another valuable tool for helping to evaluate the status of security. A customized version of an automated questionnaire and assessment can be developed by security consultants as well. With this approach, the user is prompted to respond to a series of PC and LAN questions which are tailored online to the user’s environment, and then provides recommendations to improve the user’s security practices and safeguards. Typically designed for the average PC user, this approach functions as a risk assessment tool. A questionnaire/checklist may be a useful first step in determining if a more formal/extensive risk assessment needs to be done, as well as to guide the direction of the risk assessment. LAN/WAN SECURITY IMPLEMENTATION This section provides a step by step approach for implementing cost-effective LAN/WAN security. A simple example is used to illustrate this approach. The steps performed in the implementation process include determining and reviewing responsibilities, determining required procedures, determining security level requirements, and determining detailed security procedures. Determine/Review Responsibilities The first step in LAN/WAN security implementation is to know who is responsible for doing what. LAN/WAN security is a complex undertaking, requiring an integrated team effort. Responsibilities must be defined for managers of facilities, information technology operations personnel, and managers of application systems which run on LANs. In addition, every area network should require a LAN/WAN administrator and an information systems security officer whose specific duties include the implementation of appropriate general, technical (e.g., access controls and Internetwork security), and operational controls (e.g., backups and contingency planning). In general, the security officer is responsible for the development and coordination of LAN and WAN security requirements, including the “Computer Systems Security Plan”. The LAN/WAN administrator is responsible for the proper implementation and operation of security features on the LAN/WAN. Determine Required Procedures The second step is to understand the type and relative importance of protection needed for a LAN. As stated above, a LAN may need protection for reasons of confidentiality, integrity, and availability. For each of the three categories there are three subcategories to determine the level of security needed: High, Medium, or Low. A matrix approach can be used to document the conclusions for needed security. This involves ranking the security objectives for the LAN being reviewed, using the following simple matrix.
The result is an overall security designation of low (Level 1), medium (Level 2), or high (Level 3). In all instances, the security level designation of a LAN should be equal to or higher than the highest security level designation of any data it processes or systems it runs. This security level designation determines the minimum security safeguards required to protect sensitive data files and to ensure the operational continuity of critical processing capabilities. This matrix analysis approach to documenting security designations can be expanded and refined into more complex models with security objective subcategories and possibly the use of weighted value assignments for categories. Most automated packages are based on more complex measurement models. Determine Security Level Requirements Once the level of protection has been determined, the next step is to determine the security level requirements. Using the simple model that has been created to illustrate this approach, the following is a suggested definition of the minimum security requirements for each level of protection. Level 1 Requirements The suggested controls required to adequately safeguard a Level 1 system are considered good management practices. These include, but are not limited, to the following.
Level 2 Requirements The suggested controls required to adequately safeguard a Level 2 system include all of the requirements for Level 1, plus the following requirements.
|
|||||||||||||||||||||||||||||