The Information Security Program and How a Security Assessment Fits In
65
Clients should not feel blindsided by anything in the final report resulting
from the assessment.
•
Preparation should be emphasized.
In each of the first four phases, there
is some element of preparation, which is a key concept in this security
assessment methodology. Preparation is in the form of doing research on
companies and preparing question sets for meetings with clients. Prepa-
ration is important because it enables you to ask more informed questions
during the assessment. Instead of wasting time on things you could have
learned by preparing, you can spend the time in interviews talking about
more meaningful aspects of the business. In addition, people are busy, so
it is in everyone’s best interest to use time with the client efficiently. Good
preparation allows you to do this.
EXECUTIVE SUMMARY
This chapter was a discussion of the definition of information security programs and
their key components, how a security assessment fits in, why companies would
conduct a security assessment, and the high-level security assessment methodology.
An information security program consists of people, processes, and technology
and is essentially the conglomeration of all steps a company takes to protect its
information assets. The key components of an information security program include:
•
Security strategy —
Central component of an information security pro-
gram; overall information security strategy based on the security risks the
business is facing
•
Security policies and procedures —
Security requirements and processes
to implement the security strategy
•
Security organization —
Personnel who ensure that the information secu-
rity program is up to date and who conduct enforcement activities related
to information security
•
Executive support —
Support from management that is critical in helping
to ensure that employees take the information security program seriously
•
Toolsets —
Tools to automate tasks that are necessary for enforcement of
good security practices but are virtually impossible to perform manually
•
Enforcement —
Proactively checking for compliance with security poli-
cies and procedures to ensure that the information security program is
effective
Due to the dynamic nature of companies, security risks are always changing.
Consequently, the information security program should be constantly evolving to
address current risks. The security assessment process is essentially the process for
ensuring that the information security program is addressing the security risks a
company faces. It is a constant evaluation of the information security program to
ensure that security measures are aligned with the security risks facing a company.
AU1706_book.fm Page 65 Wednesday, July 28, 2004 11:06 AM
66
A Practical Guide to Security Assessments
Companies conduct security assessments for a variety of reasons. Some of the
key reasons include the following:
•
Obtaining an independent view of security —
Companies want an inde-
pendent assessment of how well their information security program is
addressing the risks facing the company.
•
Managing security risks proactively
— Constant evaluation of the infor-
mation security program helps to effectively allocate resources for infor-
mation security.
• Determining measures to take to address any regulatory concerns — Many
companies are regulated by information security legislation or regulations
promulgated by the government such as GLBA, HIPAA, and requirements
set forth by the FTC; a security assessment can help them determine what
measures they need to take to achieve compliance.
• Justification for funds — Some companies have security assessments
conducted to help justify funds for information security initiatives; a
security assessment can help show how information security can enhance
revenues or reduce the risk related to security vulnerabilities and thus
demonstrate the value of making investments in information security.
Once the business drivers for an assessment are identified and a need for a
security assessment is established, it is critical to conduct it using a sound method-
ology that ensures that all relevant aspects of the assessment are covered in an
efficient manner. In the methodology detailed in this book, the five key phases of
the security assessment methodology are:
• Planning — Define the scope, logistics, and scheduling.
• Initial Preparation — Gather publicly available information; prepare ini-
tial documentation.
• Business Process Evaluation — Gain understanding of the key business
processes and identify critical supporting technologies.
• Technology Evaluation — Evaluate and test critical technologies.
• Risk Analysis and Final Presentation — Quantify risks, develop recom-
mendations, and present the final report to the client.
AU1706_book.fm Page 66 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.