Java Reference
In-Depth Information
Work shops
:
A workshop is the most efective way of creating a collated list of information
assets. he OCTAVE methodology prescribes that senior management, operational man-
agement, and staf workshops need to be conducted to gain a detailed insight into the critical
assets of the organization. While OCTAVE is a risk assessment methodology for enterprise
risk assessment, its principles may be adopted for a Web application as well. Discussions with
management/customers regarding the types of critical information that will be stored, pro-
cessed, or transmitted need to occur before formulating the requirements of the application.
A workshop facilitated with a brainstorming session will ensure that the most comprehen-
sive view of critical assets will be revealed during the course of the interactions with man-
agement/customers. he workshop leverages on the existing knowledge of the organization.
Using the knowledge of a few key individuals ensures that the organizational experience is
tapped to the fullest and the comprehensive view of information assets is achieved.
Questionnaires
:
Questionnaires are an efective medium of eliciting information about critical
information assets. In several cases, individuals are spread across diferent locations in difer-
ent countries, in which case workshops may not be feasible. Questionnaires have questions
directed at eliciting the information necessary to determine the types of critical assets that
are stored, processed, or transmitted by the Web application. Based on the results of the
questionnaire, the risk assessment team collates the information and prepares a list of critical
information assets for which the risk assessment needs to be performed.
Description sheets
: Description sheets are similar to questionnaires; however, they difer in
the level of details. his technique is usually the least efective, as it requires the subjects to
pen down a great deal of detail into the sheets, which most people don't do because of either
time constraints or lack of motivation. Individuals seldom take the time to ill out proper
descriptions of the critical information assets, and the end result of this analysis is usually
vague and futile. his is more suited for smaller entities, where the results are not too many
to analyze.
5.2.3 User Roles and Access to Critical Information Assets
User proiling is a very important activity to be performed for understanding the envisaged applica-
tion. Once the critical information assets for the application have been tabulated, the next piece of
the puzzle is understanding the types of users that are likely to exist as part of the application and
the level of access these users have to these critical information assets. Users of a Web application
have access to create, update, or delete critical application data as the case may be. It is important
for the risk assessment to capture who has access to the said critical information asset and what
kind of access the individual has to the same. For instance, a customer of an e-commerce applica-
tion will have access to his/her account information including personal details, transaction history,
order status, and credit card information stored, processed, or transmitted by the application.
In a similar manner, the administrator of an e-commerce application will have access to stock-
related information in the Web application. he administrator can insert, update, and delete
stock-related information like stock item name, price, and discount.
he ideal way to proile users and capture information about the information assets they can
access is through provisioning an access control matrix. An access control matrix characterizes
the privileges each individual (subject) has to the critical information asset (object). In a typical
operating system, an access control matrix would contain information about whether a particular
user or user role can read, write, or execute a particular ile in the system.
Search WWH ::
Custom Search