Information Technology Reference
In-Depth Information
The risk index is calculated by multiplying the severity times the probability factor, and
then dividing by the control factor:
Risk index = (severity factor * probability factor) / control factor
Ta ble 1 2 - 8 shows a sample risk index calculation for a typical large corporation facing a
couple of typical risks. If the risk index number calculated is high, there is more risk and
therefore more impact to the organization. The lower the index number calculated means
that there is less risk and less impact to the organization.
Ta b l e 1 2 - 8
Risk Index Calculation
Risk
Severity (S)
Range 1
to 3
Probability
(P) Range 1
to 3
Control
Range 1
to 3
Risk Index
(S * P)/C Range
.3 to 9
DoS attack lasting for 1.5
hours on the email server
2
2
1
4
Breach of confidential
customer lists
3
1
2
1.5
Continuous Security
As requirements change and new technology is developed, the network security policy
should be updated to reflect the changes. Here are four steps are used to facilitate contin-
uing efforts in maintaining security policies:
Step 1.
Secure:
Identification, authentication, ACLs, stateful packet inspection (SPI),
encryption, and VPNs
Step 2.
Monitor:
Intrusion and content-based detection and response
Step 3.
Te s t :
Assessments, vulnerability scanning, and security auditing
Step 4.
Improve:
Data analysis, reporting, and intelligent network security
Figure 12-7 shows the four-step process that updates and continues the development of
security policies.
Secure
Policy
Te s t
Figure 12-7
Continuous Security
