C
chris02 - 2011
Hi all,
I have pulled together a Information Security log that will used to record data security issues and based the severity levels on CVSS but without the scoring system.
Do you think the following will provide sufficient coverage for 27001 if not suggestions welcome.
Thanks
Chris
Security Severity Levels
…….severity levels are based on the basic principles of the ‘Common Vulnerability Scoring System’ (CVSS). The CVSS is a vendor-neutral, industry standard that provides an open framework for communicating the characteristics and impacts of IT vulnerabilities.
Critical
Vulnerabilities that score in the Critical range usually include:
• Exploitation of the vulnerability results in root-level compromise of servers or infrastructure devices
• The information required in order to exploit the vulnerability, such as example code, is widely available to attackers
• Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.
For critical vulnerabilities, it is advisable to upgrade systems/processes as soon as possible, unless there are mitigating measures in place. For example, the installation is not accessible from the Internet.
High
Vulnerabilities that score in the High range usually have the following characteristics:
• The vulnerability is difficult to exploit
• Exploitation does not result in elevated privileges
• Exploitation does not result in a significant data loss.
Moderate
Vulnerabilities that score in the Moderate range usually have the following characteristics:
• Denial of service vulnerabilities that are difficult to set up.
• Exploits that require an attacker to reside on the same local network as the victim.
• Vulnerabilities that affect only nonstandard configurations or obscure applications.
• Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.
Vulnerabilities where exploitation provides only very limited access.
Low
Vulnerabilities in the Low range typically have very little impact on an organisation's business. Exploitation of such vulnerabilities usually requires local or physical system access.
I have pulled together a Information Security log that will used to record data security issues and based the severity levels on CVSS but without the scoring system.
Do you think the following will provide sufficient coverage for 27001 if not suggestions welcome.
Thanks
Chris
Security Severity Levels
…….severity levels are based on the basic principles of the ‘Common Vulnerability Scoring System’ (CVSS). The CVSS is a vendor-neutral, industry standard that provides an open framework for communicating the characteristics and impacts of IT vulnerabilities.
Critical
Vulnerabilities that score in the Critical range usually include:
• Exploitation of the vulnerability results in root-level compromise of servers or infrastructure devices
• The information required in order to exploit the vulnerability, such as example code, is widely available to attackers
• Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.
For critical vulnerabilities, it is advisable to upgrade systems/processes as soon as possible, unless there are mitigating measures in place. For example, the installation is not accessible from the Internet.
High
Vulnerabilities that score in the High range usually have the following characteristics:
• The vulnerability is difficult to exploit
• Exploitation does not result in elevated privileges
• Exploitation does not result in a significant data loss.
Moderate
Vulnerabilities that score in the Moderate range usually have the following characteristics:
• Denial of service vulnerabilities that are difficult to set up.
• Exploits that require an attacker to reside on the same local network as the victim.
• Vulnerabilities that affect only nonstandard configurations or obscure applications.
• Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.
Vulnerabilities where exploitation provides only very limited access.
Low
Vulnerabilities in the Low range typically have very little impact on an organisation's business. Exploitation of such vulnerabilities usually requires local or physical system access.