Phase 1 Inspection

• Resource inventory: value of info assets
• Loss analysis: harm caused if lost, altered, disclosed
• Threat assessment: type & size
• Vulnerabilities: where
• Safeguards: appropriate & effective

Identify the info resources, evaluate the risks, apply security measures.
Security can not make it impossible to suffer a loss. Can reduce likelihood and make cost of attack prohibitve for the info gained.

Resources

• people: creators, consumers, caretakers of info
• property: physical stuff
• info
• infrastructure: utilities
• reputation

• human error: accidents
• system failures: HW & SW
• natural disasters
• malicious acts: human or automated attacks, theft by disgruntled employee, hacker, spy, criminal

• remote users
• security holes in SW
• spam, viruses

Losses

• Denial of service (loss of availability): most visible, immediately apparent. Often most important to service business.
• Disclosure (loss of confidentiality): usually greatest concern
• Destruction or corruption (loss of integrity): tampering or accident. May be most devastating type of loss.

• design flaw
• implementation: install, admin
• innovative misuse: unanticipated
• social engineering: get people to divulge info they shouldn't

Safeguards: HW, SW, policies, procedures
proactive: protect info before it's compromised. Better but not always possible.
reactive: detect compromise and act to minimize damage. Always needed.

Evaluate current status: compare current security to areas the risk analysis has determined to be important.
--assess policies & procedures. compare with other organizations.
--test the quality