HOME

TheInfoList



Click Here for Items Related To - IT Security Assessment
OR:
IT Security Assessment on:   [Wikipedia]   [Google]   [Amazon]

Information Technology Security Assessment (IT Security Assessment) is an explicit study to locate
IT security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
vulnerabilities Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...
and risks.


Background

In an assessment, the assessor should have the full cooperation of the organization being assessed. The organization grants access to its facilities, provides
network Network, networking and networked may refer to: Science and technology * Network theory, the study of graphs as a representation of relations between discrete objects * Network science, an academic field that studies complex networks Mathematics ...
access, outlines detailed information about the network, etc. All parties understand that the goal is to study security and identify improvements to secure the systems. An assessment for security is potentially the most useful of all security tests.


Purpose of security assessment

The goal of a security assessment (also known as a security audit, security review, or network assessment), is to ensure that necessary security controls are integrated into the design and implementation of a project. A properly completed security assessment should provide documentation outlining any security gaps between a project design and approved corporate security policies. Management can address security gaps in three ways: Management can decide to cancel the project, allocate the necessary resources to correct the security gaps, or accept the risk based on an informed risk / reward analysis.


Methodology

The following methodology outline is put forward as the effective means in conducting security assessment. * Requirement Study and Situation Analysis * Security policy creation and update * Document Review * Risk Analysis * Vulnerability Scan *
Data Analysis Data analysis is a process of inspecting, cleansing, transforming, and modeling data with the goal of discovering useful information, informing conclusions, and supporting decision-making. Data analysis has multiple facets and approaches, enco ...
* Report & Briefing


Sample report

A security assessment report should include the following information: * Introduction/background information * Executive and Management summary * Assessment scope and objectives * Assumptions and limitations * Methods and assessment tools used * Current environment or system description with network diagrams, if any * Security requirements * Summary of findings and recommendations * The general control review result * The vulnerability test results * Risk assessment results including identified assets, threats, vulnerabilities, impact and likelihood assessment, and the risk results analysis * Recommended safeguards


Criticisms and shortcomings

IT security risk assessments like many risk assessments in IT, are not actually
quantitative Quantitative may refer to: * Quantitative research, scientific investigation of quantitative properties * Quantitative analysis (disambiguation) * Quantitative verse, a metrical system in poetry * Statistics, also known as quantitative analysis ...
and do not represent risk in any actuarially-sound manner. Measuring risk quantitatively can have a significant impact on prioritizing risks and getting investment approval. Quantitative risk analysis has been applied to IT security in a major
US government The federal government of the United States (U.S. federal government or U.S. government) is the national government of the United States, a federal republic located primarily in North America, composed of 50 states, a city within a feder ...
study in 2000. The Federal CIO Council commissioned a study of the $100 million IT security investment for the
Department of Veterans Affairs The United States Department of Veterans Affairs (VA) is a Cabinet-level executive branch department of the federal government charged with providing life-long healthcare services to eligible military veterans at the 170 VA medical centers and ...
with results shown quantitativel

United States Department of Veterans Affairs


Professional certifications

There are common vendor-neutral professional certifications for performing security assessment. * Certified Information Systems Security Professional, CISSP * CCSP * CISM * CISA * ISO/IEC 27001:2013 Auditor/Lead Auditor * CRISC * QSA/ISA


Automated Security Assessment Tools

There are common tools for automatic security assessment for self/third party usage. * Findings * Panorays * RapidFire Tools * Beyond Security * Veracode * RiskWatch * SolarWinds


External links


ISC2Information Systems Audit and Control AssociationSANS Institute


References

{{Reflist Casas III, Victoriano. 2006. "An Information Security Risk Assessment Model for Public and University Administrators." Applied Research Project. Texas State University. http://ecommons.txstate.edu/arp/109/ Computer security accreditations