Logo

Navigation
 

Network Security Risk Assessment and Measurement

By | on November 10, 2011 |
Disaster Recovery

First Step for Risk Assessment

Information that is gathered everyday regarding client and business transactions are either stored on servers or on user computers. These stored information are considered important and sensitive in the company’s interest and hence they need to be protected from network attacks and other unknown circumstances. Network administrator manage and protect the network through a series of passwords and data encryption.

Unfortunately, there will always be a time wherein an attack, man-made or natural could cause the entire system to shutdown. The worst case scenario would be that the data will be completely lost without a trace.

But before disaster strikes, network developers and IT managers have to be aware of this fact and prepare for the worst. Network disaster could happen in the blink of an eye and network administrators have to be prepared for the worst. 

In order to determine the protocols for disaster recovery, network administrators and IT managers determine how vulnerable their network is to external attacks. Ever possible scenario and source of network interruption is identified so that a more detailed plan for network recovery can be prepared.

Identifying Essential Data/System/Hardware

In any business setting, the information gathered are mostly saved on the server. Each data is important to the company as the information will guide them about their business and records the general performance of a certain product or service available in the market. But not all information is important to the business setting. Some information is saved for archival reasons.  Network administrators and IT managers have to identify which data should be saved.

When disaster strikes, it is important for network administrators to know which information should be restored as soon as possible. When the most important data has been determined, the hardware and system that comes with it should be preserved in times of network disasters.

To fully understand which data has to be saved, network administrators and IT managers should try imagining the worst case scenario: complete information shut down. From that standpoint, the most important data is going to be recognized since without that information, the company can barely continue its operations. That way, network developers can easily work their way in determining which information and hardware is important for them.

Identifying External Blocks

Once the most important data, hardware and system have been identified, it is time to determine how vulnerable they are for different attacks. There are actually two types of attacks that would place the network in a very bad position: natural and man-made.

Man-made attacks are of course are the attacks that network administrators try to avert. Spam, viruses, trojans and DoS attacks should be prevented at all times by the system. Network administrators have to, as much as possible; honestly evaluate their data security so that proper adjustments are made to lessen the vulnerabilities of the data or system.

On the other hand, there are natural causes that destroy the network. Natural occurrences do happen and you have to protect yourself against it. Natural calamities, earthquakes, lightning that hit key areas in the city are some of the natural causes as to why network disaster is possible. Since this is regarding the hardware components of the network, not only network administrators should take a look of this concern but also with the upper management.

By identifying the source of attack, network administrators could easily plan out network security and assessing how vulnerable the users are from different types of attacks.

Measuring the Risk to Your Enterprise

When it comes to disaster recovery, measuring the risk to your enterprise is highly important. We live in a day and age where anything can happen at any time, and hardly anything is certain. Many organizations handle information that is highly sensitive, and should this information become compromised or destroyed, it can threaten the very existence and viability of the organization. Having said that, it is important to measure the risk that your organization has, but this will often require you to demonstrate the threats numerically. But how can this be done?

Another aspect that organizations should consider is the costs that are involved with vulnerability. Once you recognize losses, you will be able to calculate how much these losses will cost if they occur.  After you discover the risks that your organization has, it will be necessary for you to translate this risk into actions that can be used to prevent it. One solution that can be used for this problem is called Security Metrics.

Security Metrics is defined as the measurement of the security policies, as well as the products and processes. Security managers will often search for a formula that can estimate risk and risk reduction, but Security Metrics are much more complex than this.

Being able to measure security is often closely connected to common sense. Managers must be responsible for knowing what to measure, and they must be able to structure the variables in a manner that makes them meaningful and simple to handle. Once they have accomplished this, they can build forumlas which can be repeated, and they will have a view of the security of their organization, and how it will change over a given period of time. Having a deep understanding of Security Metrics will allow managers to carefully evaluate the risks which are connected to their enterprise.

Calculating the Assets Value

Business establishments frequently place a value on all the information which they consider as valuable. This includes software, hardware, as well as data, and the amount of money that many companies spend on IT is testament to this. Organizations will expect that each installation of either hardware or software will give them a positive return on their investment, or at the very least, it matches the price of ownership during its shelf life. However, this type of calculation needs to be made in the right context. This is also why quantifiable values are often used for the information assets, particularly for comparison and evaluation.

There are a number of ways in which you can denote the value of informational assets. One of these is the Productivity Value. Any given asset will be worth as much as the cost of its implementation, at the bare minimum. A good example of this is the PC. The lowest information asset value of a PC can be defined as its cost along with the software that comes with it, and the costs of IT, as well as the time of the user. Productivity value plays an important role in the calculation of many additional security metrics. Another thing that you will want to consider is the Revenue Value.

For many assets, the worth will typically be measured based on the value of the transactions. For example, if the web server for an e-commerce tool is responsible for handling $2 million worth of transactions each day, then this web server is worth $730 million per year. However, you should also note that the Revenue Value may not always be straight forward like this. Many supply chain applications and equipment may not actually create value, however the revenue operators would not be able to function without them. The value of these things will often be measured by the amount of revenue that would be lost if these systems are not available.

The Liquid Financial Assets Value

The assets under management numbers that are often connected with financial enterprises showcase a simple method for the assessment of their value. For example, if a financial firm has $1 billion in management, this amount, in addition to the productivity value, offers the true value that is being protected. Once you add the price of the transaction assets to this, you will have the complete amount of information that needs protection. In addition to the Liquid Financial Assets Value, you should also mention the Intellectual Property value. This is perhaps the hardest asset to find a value for.

However, this is often seen as the very reason that a company exists to begin with. There are a number of books which have complicated equations that can be used to determine the value of intellectual property, but at the same time, a may be easier to simply think about the contribution that the intellectual property has made to the organization, and its capitalization of the market. The value for this can be estimated by simply multiplying the number of intellectual property that has been collected on systems to the difference among the book value of the capital market.

Getting Everything Together

Although risk assessment is just a full time task for better knowledge, it is very important. Risk assessment defines the stage as to where the security protocols should start with. When every component has been scrutinized, it is time to present the results.

In a large scale business, developers have to create a document regarding risk assessment. When everything has been said and done, it is time to write about the status of a certain environment and protocol. Through this simple document, network administrators and upper management should know where to save the important document so that it could be extracted easily when the problem arises.

« « Is Your Corporate Network Secure and Confidential?
Effective Business Continuity Planning » »

Author Description

Chandra Vennapoosa

Chandra Vennapoosa, B.S Arch Graduate, Managing Director - Exforsys Inc, Founder of exforsys.com and geekinterview.com. Chandra's mission is "to provide quality career coaching and interview advice for aspiring candidates". She is an avid writer and is also very passionate to help others become professional freelancers. In addition to several online trainings, she has authored the popular book "How to Become a Successful Freelancer"

Exforsys e-Newsletter

ebook
 
© 2024. All Rights Reserved.IT Training and Consulting