Before a network security policy can be established, a risk analysis has to be studied. Risk analysis is the process of identifying what you need to protect, what you need to protect it from, and how to protect it. It is the process of examining all of your risks, and ranking those risks by level of severity.

A good way of assessing the risks of network connectivity is to first evaluate the network to determine which assets are worth protecting and the extent to which these assets should be protected.

In principle, the cost of protecting a particular asset should not be more than the asset itself. A detailed list of all assets, which include both tangible objects, such as servers and workstations, and intangible objects, such as software and data should be made. Directories that hold confidential or mission-critical files must be identified. After identifying the assets, a determination of how much it cost to replace each asset must be made to prioritize the list of assets.

Once the assets requiring protection are identified, it is necessary to identify the threats to these assets. The threats can then be examined to determine what potential for loss exists.

Examples of threats might include:

1. Unauthorized access/use of resources (authentication)

2. Denial of Service (availability)

3. Leakage of information (confidentiality)

4. Corruption/unauthorized change of data (integrity)

5. Natural disasters

6. Physical Theft

7. Depreciation of product

Quantifying Costs for Security Related System Damage

These questions can be an important first step to putting a quantitative value on security vulnerabilities, which enables the calculation of an ROI for a security product investment.

Viruses

1. How many times per year does the network fail due to a virus infection?

2. How long does it take to bring the network back on line (per incident)?

3. How much revenue is lost when the network goes off-line?

4. How many employees are on the Recovery team? Who are the employees? Are they cross-trained and vacation covered?

5. How many transactions are processed per hour?

6. What is the average amount of revenue generated per transaction?

7. How many internal users are dependent on the gateway?

8. How many external users are dependent on the gateway?

9. How many customers are dependent on the gateway?

10. What is the average amount of staff productivity time lost each time the network goes off-line?

11. What is the average amount of productive time that is lost (on normal projects) by the Recovery team?

12. Are there SLA (Service Level Agreements) cost liabilities for downtime with key customers?

13. What are the risks associated with downtime and data loss, and are these risks addressed in the reseller's security policy?

For Exchange users:

1. How many times is the Exchange server taken off-line due to a virus?

Unauthorized Intruders

1. How many end users have access to your secured network?

2. What is the average amount of time each end user surfs the Internet for non-work related information?

3. How much of your network bandwidth is being utilized for non-work related traffic?

4. How many times per year do end users obtain access to applications that they do not have permissions to access?

5. When an intruder makes it past the Firewall, how long does it take the organization to detect their presence?

6. How many remote users have the authority to access the network inside of the Firewall?

A thorough risk assessment will be the most valuable tool in shaping a network security policy. The risk assessment indicates both the most valuable and the most vulnerable assets. A security policy can then be established to focus on security measures that can identify these assets.