Simple network risk assessment process
Network risk assessment in general information security service refers to the following process
1. Asset collection
Collect the specific quantity of objects to be evaluated in the corresponding organization, for example, how many switches are there, ips ids, firewall server IP addresses, etc. It is best to prepare a corresponding table to facilitate subsequent work to develop a project plan.
2: asset assignment
The importance of servers or network devices is assigned as the basis for determining risks and threats for future evaluation (however, skip this process)
3: System Research
Conduct a system survey on the operating environment of servers, network devices, and network topologies
Use of the software environment, for example: for network devices such as windows 2003 asp.net sqlserver 2005 office OA system security settings, you can collect the corresponding software version and enter a questionnaire about the personnel's awareness of network security.
4: vulnerability scan
For short, there will be 3-4 software for General Scanning of missed scanning. Generally, webpage host databases are commonly used, including appscan nessus wvs nsfocus (lumon), skymirror (VENUS), and manual experience judgment.
5: Risk Assessment Report
Manual analysis issues a risk assessment report based on the vulnerability scan results and the potential threats and vulnerabilities of the existing network topology analysis.
6. Rectification comments
Rectification suggestions generally include management host reinforcement in the personnel system webpage code reinforcement database reinforcement security awareness training for personnel who need to add some security devices and so on, which are reflected in the form of documents
7: acceptance after rectification is passed
The project end stage is not nonsense. The key is interpersonal relationship and document sorting.