IntroductionSecurityAssessment means different things to different people. This document willattempt to explore what security assessment means, why should companies invest timeperforming it and what should a security assessments contains. This paper willalso cover the important of having such assessment on a regular basis. Manyorganizations now must follow regulations to be complaint with the government.
Although, government doesn’t instruct organization how to control or securetheir system, but they do require that those systems be secure. They require organizationsto prove to independent auditorsthat their security and control infrastructure is in place and operatingeffectively. What is SecurityAssessment Aninformation security assessment is a measurement of the security posture of asystem or organization. The security posture is the way information security isimplemented. Security assessments are risk-based assessments, due to theirfocus on vulnerabilities and impact. Security assessments rely on three mainassessment methods that are inter-related. Combined, the three methods canaccurately assess the Technology, People, and Process elements of security(SANS, 2008). They are explained as follows: (Abdel-Aziz, 2018)Reviewing MethodThereviewing process method includes passive review and interviews, which are usuallyconducted manually.
This review help evaluating system, applications, networks,policies and procedure to discover the vulnerabilities. This include the reviewof documentation, architecture, rule-sets, and system configurations. Thereviewing method enables understanding of what is critical information are, and how the organization wants to focus on security.Examination Method Examinationmethod is a hands-on technical process that looks specifically at theorganization from a system and network level.
They identify security vulnerabilities that exist in those systems whichincludes doing technical analysis of the firewalls, intrusion detectionsystems, and routers. It also includes vulnerability scans of the customer’snetworks. The reviewing assessment method provides excellent information thatleads into future examinations.Testing Method Testing,often called penetration testing, it is a process whereby someone imitates an adversarylooking for security vulnerabilities, which allow the break in to a system ornetwork. Reviewing and examination methods provide excellent information thatleads into future testing. The below diagram illustrates the relations of eachmethod with each other: Why Perform SecurityAssessment Organizationshave many reasons for performing a proactive and periodic approach to address securityconcerns.
Legal and regulatory requirements main objective is to protect sensitiveor personal data, as well as general public security requirements. Informationsecurity should be one of the highest priority for any company and they mustdevote the utmost attention to information security risk. An IT security riskassessment takes on many names and can vary greatly in terms of method, rigorand scope, but the core goal remains the same: identify and quantify the risksto the organization’s information assets. Some areas of rationale forperforming an enterprise security risk assessment include: (Schmittling, 2018)Cost Justification:Adding information security is expensive and it is really hard to provide justificationon how it is helping organization makes more profit. IT security riskassessment process should educate key business managers on the most criticalrisks associated with the use of technology, and automatically and directlyprovide justification for security investments.Productivity: Thesecurity risk assessment must bring productivity of IT operations, security andaudit. By taking steps to formalize a review, create a review structure,collect security knowledge within the systems knowledge base and implementself-analysis features, the risk assessment can boost productivity.Breaking barriers:To be most effective, security must be addressed by organizational managementas well as the IT staff.
Organizational management is responsible for makingdecisions that relate to the appropriate level of security for theorganization. The IT staff, on the other hand, is responsible for makingdecisions that relate to the implementation of the specific securityrequirements for systems, applications, data and controls.Self-analysis:The security risk assessment system must always be simple enough to use,without the need for any security knowledge or IT expertise. This will allowmanagement to take ownership of security for the organization’s systems,applications and data. It also enables security to become a more significantpart of an organization’s culture.
Communication:By gathering information from multiple parts of an organization, an enterprisesecurity risk assessment boosts communication and expedites decision making.Characteristics of soundSecurity Assessment Itis important to understand the difference between the risk management processand any given security assessment process. Risk management is the overall processthat includes the security assessment, development and implementation of asecurity plan. On the other hand, security assessment is the estimation of riskfor the purpose of decision making. Securityassessment methodologies can be very useful analytic tools to integrate datainto information which can help understand the nature and locations of risk ofthe system. However, security assessment should not be taken as the key method toestablish risk nor it should be taken solely to determine decisions about howrisk needs to be addressed. Security assessments methods should be used as partof a process that involves knowledgeable and experienced personnel thatcritically review the input, assumptions, and results.
The security assessmentsshould integrate the security assessment output with other factors, the impactof key assumptions, and the impact of uncertainties created by the absence ofdata or the variability in assessment inputs before arriving at decisions aboutrisk and actions to reduce risk. (Nrc.gov, 2018)Ultimately,it is the responsibility of the company to choose the security assessmentmethod that best meets their requirements. Security policies must helpfacilities and agencies tasked with providing additional security in times ofimminent danger.
Therefore, it is in the best interest of the company todevelop a thorough understanding of the various security assessment methods inuse and available before selecting a long-term strategy. A security assessmentshould be: (Nrc.gov, 2018)Structured: Theunderlying methodology must be structured to provide a thorough assessment.Some methodologies employ a more rigid structure than others.
More flexiblestructures may be easier to use; however, they generally require more inputfrom subject matter experts. Security assessment methods identify and use logicto determine how the data considered contributes to risk in terms of affectingthe likelihood and/or consequences of potential incidents.Given Adequate resources: Ateam of experts/personnel, time, and financial resources must be allocated tomatch the level of the assessment.Experienced based: The frequency andseverity of past security related issues and potential future issues must betaken in consideration. It is important to understand and document any actionsthat have been made to prevent security related events.
It is important tounderstand and document any actions that have been made to prevent securityrelated events. The security assessment should consider the system-specificdata and other knowledge about the system that has been acquired by field,operations, and engineering personnel as well as external expertise.Predictive:The security assessment should be investigative in nature, seeking to identifyrecognized as well as previously unrecognized threats to the facility serviceand integrity. It should utilize the information available of previous securityrelated issues, but also focus on the potential for future security issues,including the likelihood of scenarios that may never have happened before.Based on the use of appropriate data: Some security assessment decisions are simplya judgment calls.
However, relevant information and particularly data about thesystem under review should affect the confidence level placed in the decisions.Able to provide for and identifymeans of feedback: Security assessment is an iteractiveprocess. Actual field drills, audits, and data collection efforts from bothinternal and external sources should be used to validate if it works.Importance of Periodic SecurityAssessment Aninformation security assessment is important because it provides a road map forthe implementation, evaluation and improvement of information securitypractices. As an organization implements its framework, it will be able toarticulate goals and drive ownership of them, evaluate the security ofinformation over time, and determine the need for additional measures. Thinkabout security like finance department thinks about money.
Just as accountingsystem has checks and balances to help prevent fraud and embezzlement, ITsecurity policies need to have checks and balances to help prevent intentionaland unintentional security compromises. Organizationsmust conduct periodic security assessments internally so long as best practicesare followed and a good set of checks and balances is kept. Having anindependent third party do some of security assessments is the check andbalance on the internal audit themselves and in fact, checking that all of thesecurity policies and procedures are working as expected.
(Appliedtrust.com,2018)Conclusion Anorganization must have a solid base for its information security framework. Therisks and vulnerabilities to the organization will change over time; however,if the organization continues to follow its framework, it will be in a goodposition to address any new risks and/or vulnerabilities that arise.Onebest practices that is the utmost important is the support of seniormanagement, but few documents clarify how that support is to be given. Thisrepresents the biggest challenge for any organization as security initiativeswill be addressed or prioritizes based on the upper management involvement andknowledge.
(Schmittling, 2018)SecurityRisk Assessment is something that is important for all organization regardlessof how big or small they are. It helps organization to have road map of how tohandle current and potential future risks and improve current process orsystem.