Information technology security assessment: Difference between revisions
m Undid revision 1194905821 by 118.69.55.88 (talk) |
|||
| (23 intermediate revisions by 17 users not shown) | |||
| Line 1: | Line 1: | ||
'''Information Technology Security Assessment''' (IT Security Assessment) is an explicit study to locate [[IT security]] vulnerabilities and risks. |
'''Information Technology Security Assessment''' (IT Security Assessment) is an explicit study to locate [[IT security]] [[Vulnerability (computing)|vulnerabilities]] and risks. |
||
==Background== |
==Background== |
||
In an assessment, the assessor should have the full cooperation of the organization being assessed. The organization grants access to its facilities, provides network access, outlines detailed information about the network, etc. All parties understand that the goal is to study security and identify improvements to secure the systems. An assessment for security is potentially the most useful of all security tests. |
In an assessment, the assessor should have the full cooperation of the organization being assessed. The organization grants access to its facilities, provides [[Computer Network|network]] access, outlines detailed information about the network, etc. All parties understand that the goal is to study security and identify improvements to secure the systems. An assessment for security is potentially the most useful of all [[Security testing|security tests]]. |
||
==Purpose of |
==Purpose of security assessment== |
||
The goal of a security assessment |
The goal of a security assessment (also known as a security audit, security review, or network assessment<ref>{{cite news|title=4 Signs You Need a Network Assessment|url=http://ccbtechnology.com/four-signs-need-network-assessment/|accessdate=20 February 2018|work=ccbtechnology.com}}</ref>), is |
||
to ensure that necessary security controls are integrated into the design and |
to ensure that necessary security controls are integrated into the design and implementation of a project. A properly completed security assessment should provide documentation outlining any security gaps between a project design and approved corporate security policies. Management can address security gaps in three ways: |
||
implementation of a project. A properly completed security assessment should provide |
|||
documentation outlining any security gaps between a project design and approved |
|||
corporate security policies. Management can address security gaps in three ways: |
|||
Management can decide to cancel the project, allocate the necessary resources to correct |
Management can decide to cancel the project, allocate the necessary resources to correct |
||
the security gaps, or accept the risk based on an informed risk / reward analysis. |
the security gaps, or accept the risk based on an informed risk / reward analysis. |
||
| Line 18: | Line 15: | ||
* Security policy creation and update |
* Security policy creation and update |
||
* Document Review |
* Document Review |
||
* |
*[[Risk Analysis]] |
||
* Vulnerability Scan |
* Vulnerability Scan |
||
* Data Analysis |
*[[Data analysis|Data Analysis]] |
||
* Report & Briefing |
* Report & Briefing |
||
==Sample |
==Sample report== |
||
A security assessment report should include the following information: |
|||
* Introduction/background information |
* Introduction/background information |
||
* Executive and Management summary |
* Executive and Management summary |
||
| Line 38: | Line 35: | ||
* Recommended safeguards |
* Recommended safeguards |
||
==Criticisms and |
==Criticisms and shortcomings== |
||
IT security risk assessments like many risk assessments in IT, are not actually quantitative and do not represent risk in any actuarially-sound manner. Measuring risk quantitatively can have a significant impact on prioritizing risks and getting investment approval |
IT security risk assessments like many risk assessments in IT, are not actually [[Numerical data|quantitative]] and do not represent risk in any actuarially-sound manner. Measuring risk quantitatively can have a significant impact on prioritizing risks and getting investment approval.<ref>{{cite magazine|last=Hubbard |first=Doug |date=1998 |title=Hurdling Risk |magazine=CIO Magazine }}</ref> |
||
Quantitative risk analysis has been applied to IT security in a major US government study in 2000. The |
Quantitative risk analysis has been applied to IT security in a major [[US government]] study in 2000. The Federal CIO Council commissioned a study of the $100 million IT security investment for the [[United States Department of Veterans Affairs|Department of Veterans Affairs]] with results shown quantitatively.[https://web.archive.org/web/20040202203225/http://www.cio.gov/documents/aie_report_final.pdf] United States Department of Veterans Affairs |
||
==Professional |
==Professional certifications== |
||
There are common vendor-neutral professional certifications for performing security assessment. |
There are common vendor-neutral professional certifications for performing security assessment. |
||
*[[Certified Information Systems Security Professional|CISSP]] |
|||
* CISSP |
|||
* CCSP |
|||
* CISM |
|||
* CISA |
* CISA |
||
* |
* ISO/IEC 27001:2013 Auditor/Lead Auditor |
||
* CRISC |
|||
* QSA/ISA |
|||
==Automated Security Assessment Tools== |
|||
There are common tools for automatic security assessment for self/third party usage. |
|||
* Findings |
|||
* Panorays |
|||
* RapidFire Tools |
|||
* Beyond Security |
|||
* Veracode |
|||
* RiskWatch |
|||
* SolarWinds |
|||
== External links == |
== External links == |
||
| Line 55: | Line 66: | ||
==References== |
==References== |
||
{{Reflist}} |
|||
Casas III, Victoriano. 2006. "An Information Security Risk Assessment Model for Public and University Administrators." Applied Research Project. Texas State University. http://ecommons.txstate.edu/arp/109/ |
Casas III, Victoriano. 2006. "An Information Security Risk Assessment Model for Public and University Administrators." Applied Research Project. Texas State University. http://ecommons.txstate.edu/arp/109/ |
||
Latest revision as of 11:06, 13 January 2024
Information Technology Security Assessment (IT Security Assessment) is an explicit study to locate IT security vulnerabilities and risks.
Background[edit]
In an assessment, the assessor should have the full cooperation of the organization being assessed. The organization grants access to its facilities, provides network access, outlines detailed information about the network, etc. All parties understand that the goal is to study security and identify improvements to secure the systems. An assessment for security is potentially the most useful of all security tests.
Purpose of security assessment[edit]
The goal of a security assessment (also known as a security audit, security review, or network assessment[1]), is to ensure that necessary security controls are integrated into the design and implementation of a project. A properly completed security assessment should provide documentation outlining any security gaps between a project design and approved corporate security policies. Management can address security gaps in three ways: Management can decide to cancel the project, allocate the necessary resources to correct the security gaps, or accept the risk based on an informed risk / reward analysis.
Methodology[edit]
The following methodology outline is put forward as the effective means in conducting security assessment.
- Requirement Study and Situation Analysis
- Security policy creation and update
- Document Review
- Risk Analysis
- Vulnerability Scan
- Data Analysis
- Report & Briefing
Sample report[edit]
A security assessment report should include the following information:
- Introduction/background information
- Executive and Management summary
- Assessment scope and objectives
- Assumptions and limitations
- Methods and assessment tools used
- Current environment or system description with network diagrams, if any
- Security requirements
- Summary of findings and recommendations
- The general control review result
- The vulnerability test results
- Risk assessment results including identified assets, threats, vulnerabilities, impact and likelihood assessment, and the risk results analysis
- Recommended safeguards
Criticisms and shortcomings[edit]
IT security risk assessments like many risk assessments in IT, are not actually quantitative and do not represent risk in any actuarially-sound manner. Measuring risk quantitatively can have a significant impact on prioritizing risks and getting investment approval.[2]
Quantitative risk analysis has been applied to IT security in a major US government study in 2000. The Federal CIO Council commissioned a study of the $100 million IT security investment for the Department of Veterans Affairs with results shown quantitatively.[1] United States Department of Veterans Affairs
Professional certifications[edit]
There are common vendor-neutral professional certifications for performing security assessment.
- CISSP
- CCSP
- CISM
- CISA
- ISO/IEC 27001:2013 Auditor/Lead Auditor
- CRISC
- QSA/ISA
Automated Security Assessment Tools[edit]
There are common tools for automatic security assessment for self/third party usage.
- Findings
- Panorays
- RapidFire Tools
- Beyond Security
- Veracode
- RiskWatch
- SolarWinds
External links[edit]
References[edit]
- ^ "4 Signs You Need a Network Assessment". ccbtechnology.com. Retrieved 20 February 2018.
- ^ Hubbard, Doug (1998). "Hurdling Risk". CIO Magazine.
Casas III, Victoriano. 2006. "An Information Security Risk Assessment Model for Public and University Administrators." Applied Research Project. Texas State University. http://ecommons.txstate.edu/arp/109/