PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free
download.

Enterprise Network Risk Assessment

by James G. Barr

Copyright 2019, Faulkner Information Services. All Rights Reserved.

Docid: 00021179

Publication Date: 1909

Report Type: TUTORIAL

Preview

Computer networks
are the conduits through which modern commerce is conducted. Unfortunately, enterprise networks are vulnerable to attack, and
protecting them has become a major concern. To understand the nature and severity of the
threat, an enterprise may commission a network risk assessment – a
comprehensive analysis of network infrastructure and operations with the
purpose of identifying and mitigating risks to
network integrity and availability.

Report Contents:

• Executive Summary
• Description
• Current View
• Outlook
• Recommendations
• Web Links
• 
  
  Related Reports

Executive Summary

[return to top of this report]

Computer networks – both data and voice – are the conduits through
which modern commerce is conducted. They enable the essential
information flows that power finance, production, sales, and virtually
all enterprise business functions. 

As such, computer networks are a vital enterprise asset that must be
protected from unauthorized access and manipulation. With the widespread
adoption of the Internet in the 1990s – an indispensable vehicle for e-commerce
and economical supply chain operations – enterprise networks, which were
formally private, have gone public. While generally beneficial for
business, this public exposure has produced a new and virulent form of
criminality in which non-enterprise (or non-enterprise-affiliated) actors like
"hackers," members of organized crime, or even nation-states like China
and Russia exploit their Internet connections to deposit computer viruses and
other forms of "malware" on enterprise devices and, ultimately, enterprise
networks.

While the motivation for these attacks varies – from electronic
graffiti to corporate espionage to the theft of confidential customer
information to "hacktivisim" (in which hackers seek to disrupt enterprise
operations for political purposes) – the simple fact is that enterprise networks
are vulnerable, and protecting enterprise networks has become a major – in some
cases, principal – concern among enterprise security officials and the
executives they serve.

Although a number of network security technologies have emerged over the past
two decades (anti-virus applications, content filtering software, network
firewalls, and intrusion prevention systems, among others) network attacks continue and, in
certain instances, have intensified. To help ensure that enterprise
networks are as safe and secure as they can be, enterprise security departments are conducting more
frequent and more intensive network risk assessments.

Put simply, a network risk assessment is a comprehensive analysis of network
infrastructure and operations with the purpose of identifying and, ultimately,
mitigating any risks to network integrity and availability.

Description

[return to top of this report]

More than a matter of good enterprise policy, some US security and privacy
statutes, including the Health Insurance
Portability and Accountability Act (HIPAA), compel effected enterprises to perform
regularly scheduled network risk assessments.

An enterprise network risk assessment is defined by three key elements:

• The Organizational Risk Frame (or Frame), which describes the risk
  assessment methodology.
• The Process, which describes the risk assessment flow.
• The Techniques, which describes the risk assessment measures. 

The Frame

As observed by the US National Institute of Standards and Technology, organizations
can use a single risk assessment methodology or can employ multiple assessment
methodologies, with the selection of a specific methodology depending on, for
example:

• The time frame for investment planning or for planning
  policy changes.
• The complexity/maturity of organizational
  mission/business processes (by enterprise architecture segments).
• The
  phase of the information systems in the system development life cycle.
• The criticality/sensitivity of the information and information systems
  supporting the core organizational missions/business functions.

By making
explicit the risk model, the assessment approach, and the analysis approach employed
– collectively, the organizational risk frame – organizations can increase the
reproducibility and repeatability of risk assessments.

Figure 1 illustrates the fundamental components in organizational risk
frames and the relationships among those components.¹

Figure 1. Organizational Risk Frame

Source: NIST

The Process

While there is no generally accepted formula for assessing
network risk, Figure 2 illustrates one possible approach.

Figure 2. Enterprise Network Risk Assessment Process Flow

Network Actor – The process begins when the Risk Assessment Team
– assessment is a multi-player process – identifies each
network "actor".² An actor is an individual or organization
intent on penetrating the enterprise network. In a commercial
environment, the actor may be a:

• Hacker
• Disgruntled former employee
• Business competitor
• Identity thief; or, most disappointingly
• A current employee, customer, or supply chain partner

In a government, especially national security, environment, the list
expands to include foreign spies and terrorists.

Network Attack – Once an actor has been identified, the Risk Assessment Team determines
which type of attack the actor is likely to launch. A business
competitor, for example, may launch a distributed denial of service (DDoS)
attack, designed to disrupt enterprise operations and provide the actor’s
company with a competitive advantage.

Likelihood of Attack – Once an attack type has been identified, the Risk Assessment Team
determines the likelihood that such an attack will be launched. Likelihood depends on several factors, principally the ease of launch and
the "likelihood" of being detected. Historical data offers
the best measure of likelihood. Has this type of attack been
launched before, and with what frequency?

Severity of Attack – Once the Risk Assessment Team has determined the likelihood of an attack, they will determine – or rather estimate – its severity. For
example, the impact of a DDoS attack on a "plain", i.e.,
non-commercial, website is probably low. Conversely, the impact on a
retail, i.e., e-commerce, website is probably high, maybe even
extraordinarily high.

Risk of Attack – Once the Risk Assessment Team determines the
likelihood of an attack and its severity, they can then proceed to
estimate the overall risk of attack, as depicted in Figure 3.

Figure 3. Risk Quadrants

Existing Attack Countermeasures – Once the Risk
Assessment Team has determined the risk of attack, the Team will examine
the existing attack countermeasures and determine whether such measures
are sufficient. Again, historical data plays a vital role. Have the
presently deployed countermeasures been effective in preventing – or, at
least, mitigating – network attacks?

Required Attack Countermeasures
– Finally, the Risk Assessment Team will determine which – if any –
additional countermeasures are required to provide adequate
security. They will report their findings and recommendations to the
enterprise chief security officer (CSO) for follow-up action.

Importantly, this Enterprise Network Risk Assessment process is
iterative, meaning the process repeats for each actor and for each attack
associated with each actor. The number of iterations may be
expressed mathematically as follows:

Iterations = Attacks1
+ Attacks2 + Attacks3 + … + Attacksn,

where Attackn is the number of attacks
associated with Actor n.

The Techniques

The Risk Assessment Team often relies on a set of "tried-and-true" techniques for
evaluating the effectiveness of existing security policies, practices, and
countermeasures. Two of the more popular and effective techniques are penetration testing and social
engineering.

Penetration Testing

Penetration testing is security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of a network. It often involves launching real attacks on real networks and data that use tools and techniques commonly used by attackers. Most penetration tests involve looking for combinations of vulnerabilities that can be used to gain more access than could be achieved through a single vulnerability. Penetration testing can also be useful for determining:

• How well the network tolerates real world-style attack patterns.
• The likely level of sophistication an attacker needs to successfully
  compromise the network.
• Additional countermeasures that could mitigate threats against the network.
• The enterprise’s ability to detect attacks and respond appropriately.

Penetration testing often includes non-technical methods of attack. For example, a penetration tester could breach physical security controls and procedures to connect to a network.³

Social Engineering

Social engineering is an attempt to trick someone into revealing information (e.g., a password) that can be used to attack
a network. It is used to test user awareness of – and attentiveness to – security, and can reveal weaknesses in user behavior
– such as failing to follow standard security operating procedures.

When employed by network assessors, social engineering can be performed through
a variety of means, including:

• Analog (e.g., conversations conducted in person or over the telephone)
• Digital (e.g., e-mail, instant messaging)

For example, one form of digital social engineering is known as phishing,
where assessors (playing the role of would-be attackers) attempt to steal information such as user IDs and passwords. Phishing uses authentic-looking e-mails to request information, or direct users to a bogus Web site to collect information. Other examples of digital social engineering include crafting fraudulent e-mails and sending attachments that could mimic worm activity.

Assessors should produce a detailed report that identifies both successful
and unsuccessful tactics used. This level of detail will help an enterprise to tailor its security awareness training programs.⁴

Current View

[return to top of this report]

Value Is a Major Determinant of Risk

Computer networks are valuable precisely because they convey valuable
information. The level of network risk is generally commensurate with the value
of information stored or in transit. As described by analyst Curtis
Franklin, the Factor Analysis of Information Risk (FAIR) defines value in terms
of:

• Criticality – "the impact the
  asset (in this case, information) has on the organization’s productivity."
• Competitive advantage – "Does
  the [information] allow the organization to do something its competitors
  can’t do, or do something in a way that’s superior to the way the
  competition does it?"
• Sensitivity – "a measure of how
  much the [information’s] loss will cost the organization." Sensitivity may
  be gauged by embarrassment, the loss of competitive advantage, and/or legal and
  regulatory challenges.⁵

Risk Assessment Is a Technical, Political and Commercial Process

Once regarded as a purely technical exercise, today’s enterprise planners now
appreciate the political and commercial aspects of conducting a network risk
assessment, and the necessity of coordinating assessment activities with
relevant stakeholders, including enterprise employees, management, business
partners, and even customers (as appropriate). According to NIST, proper coordination helps to
ensure that:

• Stakeholders are aware of the assessment schedule, activities, and potential
  impacts the assessment may have.
• The assessment does not take place during upgrades, new technology
  integration, or other times when system security is being altered (e.g.,
  testing occurs during maintenance windows or periods of low utilization).
• Assessors are provided with required levels of access to the facility and
  systems, as appropriate.

• Appropriate personnel such as the CIO and CSO are informed of any critical
  high-impact vulnerabilities as soon as they are discovered.

• Appropriate individuals are informed (e.g., assessors, incident response team, senior management) in the event of an incident. Should this occur, it is recommended that activities cease until the incident is addressed, and the assessors are given approval to resume their activities in accordance with the assessment plan.
  The extent to which assessment activities should be suspended varies based
  on the enterprise and the type of incident, but, in many cases, the only activities suspended are those involving the systems directly involved in the incident.⁶

One of the fundamental purposes of coordination is to create and cultivate
cooperation to eliminate personnel resistance – especially among security officials who
may fear for their jobs if the assessment uncovers serious vulnerabilities. Except in those instances where such vulnerabilities were known – and
intentionally ignored by the Security Department – no security staffers should face
repercussions.

Also, by keeping the focus on improving security, the Security Department
will be less inclined to implement last-minute – and often temporary – measures
designed to make network security seem robust and reliable when, if fact, the
opposite condition may exist.

Outlook

[return to top of this report]

"Out-of-Control" Networks

Increasingly, one of the major challenges for enterprise planners is what to
do if the network is not your own. This condition may manifest in two
ways:

1. The enterprise may have ceded network control to a third-party entity –
   a managed security services provider (MSSP).
2. The enterprise network may connect with other enterprise networks, as,
   for example, to facilitate supply chain operations.

In the case of the MSSP, the enterprise CSO may be reduced to the role of network
risk "advisor." At the very least, the enterprise-MSSP service level
agreement (SLA) should prescribe regular network risk assessments, and the
enterprise CSO should have the opportunity to review – if not necessarily
approve – MSSP risk assessment protocols and procedures.

In a supply chain or other extra-enterprise network environment, the
effected enterprise CSOs should collaborate to develop a single end-to-end
network risk assessment, focusing on how the networks interact during normal
business operations. In fact, it may be prudent to restrict the range of
inter-network communications (even in advance of the assessment) to those data
transfer elements essential to business-to-business (B2B) functioning. A
big part of network security is eliminating extraneous connections.

Cyber Supply Chain

While most network risk assessment activities are focused – quite
properly – on the risks inherent in unauthorized network access,
authorized network access by suppliers and business partners – what
analyst Jon Oltsik calls the "cyber supply chain" – is generally
accorded less scrutiny.

According to Oltsik, "Many CISOs address cyber supply chain risk
with annual IT security ‘audits’ of selected partners. These ‘audits’
usually are based upon some written checklist that some but not all partners
are asked to respond to on an annual basis. Audits are conducted on select partners while some or
even most 3^rd parties with network access get a free pass."⁷ While
the process is imperfect – at the very least, the audits should be conducted
more frequently – enterprise security officials should insist that all cyber
supply chain partners submit, at minimum, to a high-level audit.

Local Conditions

There’s an unfortunate tendency to treat all enterprise networks the same
since,
in most respects, there’s a great commonality in network threats from
enterprise to enterprise. Nonetheless, enterprise planners should
be cognizant of local conditions that might generate new or elevate old
risk factors. These include:

• Recent employee layoffs or work stoppages, which could induce retaliatory
  network attacks.
• Bad publicity, which could encourage politically-inspired attacks by
  hacktivists.
• The sudden appearance of "cutthroat" competition, which could promote
  "industrial espionage," and which is hard to detect when the purpose of the
  intrusion is pure information gathering.

So You Don’t Think You Have a Problem

How do you convince a skeptical CEO or CFO that a program
of regularly-scheduled network risk assessments is valuable. One method is to
conduct a mini-assessment – an inexpensive, non-intrusive, under-the-radar assessment which, in
many cases, will reveal an embarrassing assortment of network risks –
certainly enough to justify a real, i.e., complete and comprehensive, network risk
assessment.

This approach, which we might term the "Rapid Assessment Model," might
include the following steps:

1. Ascertain the existence of "normal" security
   polices, like password protection, and determine if these policies are
   enforced.
2. Determine whether the Security Department
   applies operating system and other security patches in a timely fashion.
3. Similarly, determine the frequency with which
   anti-virus signatures are downloaded to enterprise PCs.
4. Determine whether confidential data stored on
   enterprise laptops in encrypted. Remember, those laptops are end
   points in the enterprise network.
5. Determine whether network equipment is
   physically secure and free from tampering. This includes remote office
   devices.
6. Determine whether security staffers are
   trained in the latest security technologies, like network forensics.
7. Determine whether non-security personnel have received network security
   awareness training.

Another form of "quick risk assessment," favored by Australian-based
Insane Technologies, features a set of questions aimed at exposing
fundamental risk factors. These questions include:

1. "[Are your network servers] covered by a manufacturers warranty
   (or 3rd party post manufacturers warranty) which includes the replacement of
   parts, with on-site labor provided by the manufacturer, and a response to
   any support request in 4 hours or less?
2. "Is someone constantly observing the health of your [network servers],
   looking for possible hardware faults like failing hard drive devices?
3. "If you came into your office today and found it had been broken in to,
   do you have an offsite backup of all the data you absolutely could not
   continue your business without, from yesterday (or at least the day
   before)?
4. "[Are your network server], network equipment (network switches,
   modems, routers, firewalls) and backup devices (external hard drives, tape
   devices, etc) connected to a UPS (battery backup) device which can provide
   these systems with at least 10 minutes ‘run time’ in the event of a power
   outage, and [are your servers] configured to gracefully shut down if
   power does not resume after this time?
5. "Do you or your IT provider keep up to date
   site documentation on all your computer systems, which is stored
   at your business so it can be accessed by either yourself or a computer
   technician quickly in the event of an emergency?"⁸

Attack Graph

A special tool called an attack graph (see Figure 4) may help network analysts "model how
multiple vulnerabilities may be combined for an attack." In their
paper entitled, "Security Risk Analysis of Enterprise Networks Using
Probabilistic Attack Graphs," analysts Anoop Singhal and Ximming Ou
offer the following example.

Figure 4. Sample Attack Graph

Source: NIST

"The left side shows a network configuration, and the right side shows the attack graph for compromise of the database server by a malicious workstation user. In the network configuration, the firewall is intended to help protect the internal network. The internal file server offers file transfer (ftp), secure shell (ssh), and remote shell (rsh) services. The internal database server offers ftp and rsh services. The firewall allows ftp, ssh, and rsh traffic from a user workstation to both servers, and blocks all other traffic.

"In the attack graph, attacker exploits are blue ovals, with edges for their preconditions and post conditions. The numbers inside parentheses denote source and destination hosts. Yellow boxes are initial network conditions, and the green triangle is the attacker’s initial capability. Conditions induced by attacker exploits are plain text. The overall attack goal is a red octagon. The figure also shows the direct impact of blocking ssh or rsh traffic (to the fileserver) through the firewall, i.e., preventing certain exploits in the attack graph."⁹

The Internet of Things

The network universe is constantly expanding, with the "Internet of Things" (IoT)
acting as a principal driver.

A term coined by technologist Kevin Ashton in 1999,¹⁰ the
"Internet of Things" refers to efforts designed to extend the dominion of the
Internet from cyber space to the physical world, creating a network of
intelligent devices that form the mechanical equivalent of the body’s central
nervous system.  The purpose is twofold:

1. To gather information about physical processes in order to improve them;
   and
2. To exercise real-time control over physical processes in order to affect
   greater efficiency and effectiveness.

As an example, the US and other nations are presently engaged in building
so-called "Smart Grids," electric grids that incorporate microprocessors to
record and report information relative to electric utilization – information
that will enable electric providers (and consumers) to regulate and conserve
costly energy resources.

While the potential impact of the Internet of Things is often diminished by
discussion of questionable applications – like smart refrigerators that
inventory their contents and automatically place orders for depleted food stuffs
– the IoT promises to enhance:

• Manufacturing, through the introduction of smart production equipment;
• Transportation, through intelligent vehicles and traffic control;
• Urban Infrastructure, through community-wide deployment of smart
  sensors;
• Healthcare, through "body area networks" and assistive systems; and
• Emergency Response, through IP-enabled surveillance systems.     

Critically for network security chiefs, any assessment of network risk must
fully encompass IoT devices.

Recommendations

[return to top of this report]

Confirm Adherence to the 20 Critical Security Controls

Part of performing an enterprise network risk assessment is verifying
enterprise compliance with the so-called "20 Critical Security Controls" (as
identified by security experts from business, government, and academia). These
controls are:

1. Inventory of authorized and unauthorized devices
2. Inventory of authorized and unauthorized software
3. Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers
4. Continuous vulnerability assessment and remediation
5. Malware defenses
6. Application software security
7. Wireless access control
8. Data recovery capability
9. Security skills assessment and appropriate training to fill gaps
10. Secure configurations for network devices such as firewalls, routers, and switches
11. Limitation and control of network ports, protocols, and services
12. Controlled use of administration privileges
13. Boundary defense
14. Maintenance, monitoring, and analysis of audit logs
15. Controlled access based on the need to know
16. Account monitoring and control
17. Data protection
18. Incident response and management
19. Secure network engineering
20. Penetration tests and Red Team exercises¹¹

These controls must be in place to ensure a secure network environment, and a
comprehensive risk assessment should validate the proper functioning of each
control.

Do It NOW!

Conducting a thorough network risk assessment takes resources – both money
and personnel. For those executives who might be hesitant to invest in proactive assessment
activities, security officials, especially the chief security officer (CSO),
should
point to the almost monthly news reports of successful public and private
network attacks.

Regarding resources, the CSO should be respectful of enterprise best
practices and create a network risk assessment budget, detailing how risk
assessment dollars will be spent, and enabling a rough return on investment (ROI)
calculation, comparing funds allocated to funds saved (through incident
avoidance or mitigation).

Observe NIST Cybersecurity Guidance

Given the critical importance of achieving cybersecurity, NIST has established
six principal risk assessments objectives. An enterprise network
risk assessment should ensure these core cybersecurity objectives are
satisfied:

• Asset vulnerabilities are identified and documented.

• Cyber threat intelligence and vulnerability information is
  received from information sharing forums and sources.

• Threats, both internal and external, are identified and
  documented.

• Potential business impacts and likelihoods are identified.

• Threats, vulnerabilities, likelihoods, and impacts are used
  to determine risk.

• Risk responses are identified and prioritized.¹²

Take the Risk Out of Network Risk Assessments

If conducted improperly, a network risk assessment (NRA) can actually
increase enterprise risk. The risk, however, can be largely eliminated by
taking a few precautions:

• Backup all
  enterprise data before commencing the NRA. – This is sound advice
  before introducing any change into the enterprise information technology
  environment.
• Once the NRA is
  complete, conduct a post-NRA data and system integrity assessment.
  – The purpose of this analysis is to verify that the NRA did not produce any
  unknown or unwelcomed changes to the IT environment. This is a classic
  change management protocol, usually implemented by the enterprise Quality
  Assurance (QA) Department. A critical component of the post-NRA
  assessment is ensuring that all data created in the course of conducting the
  NRA is "cleaned up." There should be no data "residue" that might
  reveal the results of the NRA, nor the techniques employed by the Risk
  Assessment Team, nor, obviously, any sensitive, confidential, or proprietary
  enterprise information.
• Engage an experienced security consulting firm
  to conduct the NRA. – Performing a network risk assessment
  requires specialized knowledge, including up-to-date training in new and
  emerging network technologies, and new and emerging network "threat vectors"
  (how networks, particularly "hardened" networks, are being attacked). Enterprise security analysts may not – indeed, probably will not – be fully
  conversant in the latest assessment techniques. They may also be less
  likely to report revealed exposures – preferring to quietly fix these
  vulnerabilities rather than alert the enterprise to their presence. In
  any event, an enterprise employee should not be asked to critique network
  security when he or she is intimately involved in providing such security. It’s a terrible conflict of interest – one that can be avoided by hiring a
  trusted third-party assessor. Finally, with respect to any
  extra-enterprise assessors, insist on a non-disclosure agreement (NDA).

Lobby Legislators for CDC-Level Research

Rather than enterprise networks becoming more secure, the frequency
and severity of network breaches is escalating, with the effect that
public-sector resources should be sought to address security issues that
affect both private-sector companies and government agencies.
Specifically, enterprise officials should petition the US Congress to
establish an institution similar to the Centers for Disease Control and
Prevention (CDC) that would be dedicated to enterprise network security
research, including, importantly, how to conduct a comprehensive
enterprise network security assessment.

Potential areas of investigation might include:

• How to rationalize data generated by multiple security mechanisms, such
  as anti-virus software, firewalls, and intrusion prevention systems.¹³
• How to enlist cyber supply chain partners in real-time risk assessment
  activities.
• How to maintain risk assessment momentum once an initial enterprise
  network risk assessment has been performed. After all, risk
  management, like business continuity, is an on-going responsibility.
• How to affect network security in a world increasingly dominated by
  cloud services and cloud networks.
• How to manage emerging threats, like IoT
  networks.

References

¹ Joint
Task Force Transportation Initiative. "SP800-30 Revision 1: Guide for
Conducting Risk Assessments." US National Institute of Standards and
Technology. September 2012:7.

² Bud Whiteman.
"Network Risk Assessment Tool (NRAT)." IAnewsletter, Volume 11,
Number 1, Spring 2008:4-8.

^3-4 Karen Scarfone, Murugiah Souppaya, Amanda Cody, and
Angela Orebaugh. "SP800-115: Technical Guide to Information Security testing and
Assessment." US National Institute of Standards and Technology. September
2008. pp. 5-1 – 5-7.

⁵ Curtis Franklin Jr. "7 Steps to Start Your Risk
Assessment." Dark Reading (UBM Tech). October 4, 2018.

⁶ Karen Scarfone, Murugiah Souppaya, Amanda Cody, and
Angela Orebaugh. "SP800-115: Technical Guide to Information Security testing and
Assessment." US National Institute of Standards and Technology. September
2008. pp. 7-1 – 7-2.

⁷ Jon Oltsik. "New Services
Can Help Enterprises Assess and Mitigate Risk in the Cyber Supply Chain."
Network World. April 24, 2014.

⁸ "Give Your Computer Network a Quick Risk Assessment with These
10 Questions!" Insane Technologies. November 10, 2011.

⁹ Anoop Singhal and Ximming Ou. "NIST Interagency Report 7788:
Security Risk Analysis of Enterprise Networks Using Probabilistic Attack
Graphs." US National Institute of Standards and Technology. August 2011:7.

¹⁰ "2013: The Year of the Internet of Things." MIT Technology
Review. January 4, 2013.

¹¹ Richard P. Lippmann and James F. Riordan. "Threat-Based Risk
Assessment for Enterprise Networks." Lincoln Laboratory Journal, Volume 22,
Number 1. 2016:34-35.

¹² “Framework for Improving Critical Infrastructure
Cybersecurity.” Draft Version 1.1. National Institute of Standards and
Technology. January 10, 2017:29-30.

¹³ Xin Hu, Ting Wang, Marc Ph. Stoecklin, Douglas L. Schales, Jiyong Jang,
and Reiner Sailer. "Asset Risk Scoring in Enterprise Network with Mutually Reinforced Reputation Propagation."
Xin Hu. 2014.

Web Links

[return to top of this report]

CERT Coordination Center:
http://www.cert.org/

SANS Institute: http://www.sans.org/
US National Institute of Standards and Technology: http://www.nist.gov/

About the Author

[return to top of this report]

James G. Barr is a leading business continuity
analyst and business writer with more than 30 years’ IT experience. A member of "Who’s Who in Finance and Industry," Mr. Barr
has designed, developed, and deployed business continuity plans for a
number of Fortune 500 firms. He is the author of several books,
including How to Succeed in Business BY Really Trying, a member
of Faulkner’s Advisory Panel, and a senior editor for Faulkner’s
Security Management Practices. Mr. Barr can be reached via
e-mail at jgbarr@faulkner.com.

[return to top of this report]