If I was presented with a proposal to a stakeholders of MARCOL bank I would find look at the bank computers networks assets by who they borrow from for example Bank of America. Then I would analyze the security risks. For instant I would use the Hacked network devices – Data can be intercepted, analyzed, altered, or deleted, user passwords can be compromised or device configurations can be changed reconnaissance attacks and Denial- of- service attacks then I would analyze security requirements and tradeoffs by making sure the security goals are affordable, usable, performable, available and manageable so that we are protected from hackers at all cost. I will develop a plan that will by creating a networking assets such hardware, software, application, data, intellectual property, trade secrets and company’s reputations. I would have a secure plan in place so that the first part of the security plan should describe its scope — just what is it intended to cover. For a small company the security plan scope might be the entire organization; for a larger organization, it might be limited to just one location or one department.
The scope may also be limited by the type of threats it covers. Often a separate security plan is written just for IT related threats since these require specialized knowledge to understand and address. The scope may also be limited to certain operations on a need-to-know basis: office staff do not need to know about the security plan for the movement of cash to and from bank branches, for example.
The next part of the security plan is the security assessment. This is the part of the plan which answers the question: where are we now?
The assessment needs to identify what we need to defend (people, locations, equipment, confidential information, service availability). Unless we know what we are defending, it's not possible to determine which threats we need to be concerned with.
Following this inventory of the things that need to be defended, we need to determine the threats we need to defend against.
These may include:
• physical threats (e.g. theft, arson, sabotage),
• computer-related threats (e.g. viruses, spam, malware, network intrusion)
• insider threats (e.g. fraud, workplace violence, information theft or disclosure)
• natural threats (e.g. earthquake, landslide, hurricane, tsunami, snowstorm, etc.)
• information threats (e.g. theft of trade secrets, customer lists )
For each threat we need to determine the risk: the combination of both how likely it is to occur and its impact on the organization.
We also need to determine what precautions are already in place to either reduce the likelihood of the threat or to reduce its impact. This may include physical measures (burglar alarms, fences, firewalls), procedural controls (two signatures required for checks more than $1000), staff policies, and staff training.