The Importance of Proper Controls

5

Network Controls• Developing a secure network means developing

mechanisms that reduce or eliminate the threats to network security, called controls.

• There are three types of controls:– Preventative controls - mitigate or stop a person

from acting or an event from occurring (e.g. passwords).

– Detective controls - reveal or discover unwanted events (e.g., auditing software).

– Corrective controls - rectify an unwanted event or a trespass (e.g., reinitiating a network circuit).

6

The Risk Management ProcessIdentify IT

Risks

Assess IT Risks

Identify IT Controls

Document IT Controls

Monitor IT Risks and Controls

7

Risk Assessment• Risk assessment is the process of making a

network more secure, by comparing each security threat with the control designed to reduce it (where are controls needed?).

• Cost Benefit Assessment (which controls are appropriate based on cost reward tradeoff?)

• Vulnerability Assessment (how effective are the controls?; are they working properly?)

8

Risk Assessment

• One way to do this is by developing a control spreadsheet

• Network assets are listed down the side.• Threats are listed across the top of the

spreadsheet.• The cells of the spreadsheet list the controls

that are currently in use to address each threat.

9

Valuation of Asset

• Assets: People, Data, Hardware, Software, Facilities, (Procedures)

• Valuation Methods– Criticallity to the organization’s success– Revenue generated– Profitability– Cost to replace– Cost to protect– Embarrassment/Liability

10

Threats 

Assets Disruption, Destruction, Disaster

Fire Flood Power Circuit Virus Loss Failure

Unauthorized AccessExternal Internal EavesdropIntruder Intruder

(92) Mail Server 1,2 1,3 4 5, 6 7, 8 9, 10, 11 9, 10

(90) Web Server 1,2 1,3 4 5, 6 7, 8 9, 10, 11 9, 10

(90) DNS Server 1,2 1,3 4 5, 6 7, 8 9, 10, 11 9, 10

(50) Computers on 6th floor 1,2 1,3 7, 8 10, 11 10

(50) 6th floor LAN circuits 1,2 1,3  

(80) Building A Backbone 1,2 1,3 6  

(70) Router in Building A 1,2 1,3 9 9

(30) Network Software 7, 8 9, 10, 11 9, 10

(100) Client Database 7, 8 9, 10, 11 9, 10

(100) Financial Database 7, 8 9, 10, 11 9, 10

(70) Network Technical staff 1 1  

Sample control spreadsheet

11

Figure 10-6 (cont.) Sample control spreadsheet list of controls  

Controls1. Disaster Recovery Plan2. Halon fire system in server room. Sprinklers in rest of building3. Not on or below ground level4. Uninterruptible Power Supply (UPS) on all major network servers5. Contract guarantees from inter-exchange carriers6. Extra backbone fiber cable laid in different conduits 7. Virus checking software present on the network8. Extensive user training on viruses and reminders in monthly

newsletter9. Strong password software10. Extensive user training on password security and reminders in

monthly newsletter11. Application Layer firewall

12

Evaluate the Network’s Security

• The last step in designing a control spreadsheet is evaluating the adequacy of the controls and the degree of risk associated with each threat.

• Based on this, priorities can be decided on for dealing with threats to network security.

• The assessment can be done by the network manager, but it is better done by a team of experts chosen for their in-depth knowledge about the network and environment being reviewed.