COBRA Knowledge Bases
Three discrete knowledge bases are available for use with COBRA:
– The IT security or default knowledge base
– The operational risk knowledge base
– The ‘quick risk’ or high level risk knowledge base.
– The e-Security knowledge base.
The first two of these provide for comprehensive and detailed risk analysis in their respective domains. The third enables a rapid assessment and overview of a whole business system. The latter knowledge base was specifically constructed to cover modern LAN and network based systems.
Example Modules
The set of detailed question modules that are supplied with the base Risk Consultant are extensive. They are designed to enable a system to be professionally and meticulously assessed without necessitating particular security expertise..
The following question modules, amongst many others, are included:
Business/Impact
Assesses the relative significance, in terms of potential loss, of all aspects and areas of a system. The results from this can be used in determination of which areas are in most need of attention.
If required, this module can also be used to automatically determine which other question modules to build into a detailed questionnaire.
Logical Access
All aspects of logical access to and within the computer system are covered:
· user identification and authentication (system access)
· batch submission
· function control
· resource access control
· sensitive data consideration, etc
System Audit
Investigates all areas of auditing, including what records and logs are produced, what audit procedures and practices are employed, what follow-up procedures are adopted, etc.
Security Administration
Security administration practices are ascertained for resource access, system access and security system control.
Contingency
Contingency and recovery are considered in great depth. All aspects are covered, including:
· back-up practice and policy
· the contents of the recovery plan
· the status of the recovery plan
· the recovery location
· general contingency practice, procedure and policy
· network contingency
· application contingency.
System Design
Security considerations relating to application/system design is covered by this module.
Development
The development module embraces all security considerations pertinent to application/system development, including documentation, auditing requirements and project control.
Change Control
Covers change control procedures and practice, both scheduled and emergency.
Security Management And Policy
This module will establish general security status, embracing general and detailed policy, awareness and security management.
Physical Access
All aspects of physical access are examined, including:
· access and damage at a building level
· access to sensitive areas within the building
· protection of individual assets
· procedures to control personnel and others internal to the building/site.
Hardware
Practise, procedure and risk with respect to hardware and hardware maintenance is analysed.
Operations
Close examination of operations procedures and practices is undertaken.
Personnel
Personnel policy is covered, with respect to such matters as recruitment, dependency and supervision.
Hazards
All major hazards are considered, including:
· fire
· flooding/water-damage
· power
· environmental systems
· general issues.
Networks
Network security is analysed in depth. Some of the issues examined are:
· use of dial-in
· encryption
· monitoring and audit
· maintenance
· physical controls
· general practice