[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] RE: Security policy and risk analysis questions

To: FW1 Mailing List <fw-1-mailinglist@lists.us.checkpoint.com>, Frank Pawlak <FPAWL@pcsentre.com>
Subject: [FW1] RE: Security policy and risk analysis questions
From: Matt McClung <mmcclung@ndwcorp.com>
Date: Wed, 28 Apr 1999 15:41:44 -0600

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]


A very good question in my opinion.

I have been working on a model that I use for myself and my clients.
Security is based upon a companies risk management posture, the possibility
of something happening and the probability of something occuring.

Therefore, I use a simple formula such as:  Security Requirement SR=
Possibility x Probability / Your posture  [SR=9PsxPr)/Sp.

Using that I can look at my assest, apply the probability (which can be
fully calculated if you want, or with a experienced guess pick a value), the
possibility (which generally is high, all dependencies applied) and you know
your clients posture by now (I hope).

For example: An NT Web Server with IIS
Possibility = .75
Probability = .55
Posture = .5

So, SR=(.75x.55) / .50
    SR = .825 (82.5% out of 100)

You need to secure this web server.

This is not the most scientific, however, it does work in most cases and
both the client and I are able to sit down and calculate the security
requirements easier because of it.

If you want to get real complicated quick, you can begin to factor in other
pieces of data that you can quantify (such as OS security, netowkring
issues, etc) which also have an impact on your risk analysis.

Good Luck,


Look for risk management for more information.

> -----Original Message-----
> From: owner-firewall-wizards@nfr.net
> [mailto:owner-firewall-wizards@nfr.net]On Behalf Of Frank Pawlak
> Sent: Tuesday, April 27, 1999 9:58 AM
> To: firewall-wizards@nfr.net
> Subject: Security policy and risk analysis questions
>
>
> I am in the process of developing a network security policy and
> am stuck in a few areas.  So far I have completed the following:
>
> Identified the assets to be protected
>
> Defined what those assets are worth to the organization
>
> Identified the sources of attack
>
> My  question concerns the risk analysis.  It is my understanding
> that the risk analysis is used to determine the amount to spend
> to protect the assets.  My problem is assigning a probability to
> any of the defined threats that an attack will occur from that
> threat.  I realize that this is a highly subjective area.  I have
> searched many books and articles on security policy development
> without getting much information in this particular area of the
> risk analysis.
>
> Any help or guidelines would be most appreciated.  My thanks in
> advance for all advice.
>
> Frank
>



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] SecuRemote over AT&T WorldNet VPN
Next by Date: RE: [FW1] How do I see which FW-1 build version I have?
Prev by thread: RE: [FW1] FW1 v. 4.0 - Does it provide CA functions?
Next by thread: [FW1] URI filtering
Index(es):
- Date
- Thread