Information Technology Security Assessment

Information Technology Security Assessment (IT Security Assessment) is an explicit study to locate IT security vulnerabilities and risks.

Background

In an assessment, the assessor should have the full cooperation of the organization being assessed. The organization grants access to its facilities, provides network access, outlines detailed information about the network, etc. All parties understand that the goal is to study security and identify improvements to secure the systems. An assessment for security is potentially the most useful of all security tests.

Purpose of Security Assessment

The goal of a security assessment (also known as a security audit, security review, or network assessment^[1]), is to ensure that necessary security controls are integrated into the design and implementation of a project. A properly completed security assessment should provide documentation outlining any security gaps between a project design and approved corporate security policies. Management can address security gaps in three ways: Management can decide to cancel the project, allocate the necessary resources to correct the security gaps, or accept the risk based on an informed risk / reward analysis.

Methodology

The following methodology outline is put forward as the effective means in conducting security assessment.

Requirement Study and Situation Analysis
Security policy creation and update
Document Review
Risk Identification
Vulnerability Scan
Data Analysis
Report & Briefing

Sample Report

Security Assessment Report should include the following information:

Introduction/background information
Executive and Management summary
Assessment scope and objectives
Assumptions and limitations
Methods and assessment tools used
Current environment or system description with network diagrams, if any
Security requirements
Summary of findings and recommendations
The general control review result
The vulnerability test results
Risk assessment results including identified assets, threats, vulnerabilities, impact and likelihood assessment, and the risk results analysis
Recommended safeguards

Criticisms and Shortcomings

IT security risk assessments like many risk assessments in IT, are not actually quantitative and do not represent risk in any actuarially-sound manner. Measuring risk quantitatively can have a significant impact on prioritizing risks and getting investment approval (Doug Hubbard Hurdling Risk, CIO Magazine 1998).

Quantitative risk analysis has been applied to IT security in a major US government study in 2000. The Federal CIO Council commission a study of the $100 million IT security investment for the Dept. of Veterans Affairs with results shown quantitatively.

Professional Certifications

There are common vendor-neutral professional certifications for performing security assessment.

CISSP
CISM
CISA
ISO/IEC 27001:2013 Auditor/Lead Auditor
CRISC
QSA/ISA

External links

References

↑ http://ccbtechnology.com/four-signs-need-network-assessment/

Casas III, Victoriano. 2006. "An Information Security Risk Assessment Model for Public and University Administrators." Applied Research Project. Texas State University. http://ecommons.txstate.edu/arp/109/

This article is issued from Wikipedia - version of the 6/20/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.