4
A Practical Guide to Security Assessments
Chapter 6. Business Process Evaluation —
This chapter discusses Phase 3
of the methodology, which is gaining an understanding of the business and
evaluating the core business processes. This chapter discusses the process
of interviewing business process owners and what questions you should be
asking personnel to gain information that would be useful in a security
assessment. It also discusses the use of questionnaires and other techniques
to gain information from business process owners. The main objectives of
this phase are to gain an understanding of the business and the core business
processes, identify process-related risks, and identify the critical technolo-
gies that support core business processes, which will be reviewed in detail
in the next phase.
Chapter 7. Technology Environment —
This chapter discusses Phase 4 of the
methodology, which is the technology evaluation. Based on the material
covered in Chapter 6, you should now have a good feel for what technology
is critical to the business. This chapter walks the reader through the process
of assessing the technology that is critical to the business along with some
of the associated techniques. Similar to the last chapter, this chapter dis-
cusses the use of questionnaires and other techniques to gain information
from technology owners.
Chapter 8. Risk Assessment and Final Presentation —
This chapter discusses
the final phase of the methodology, which is to perform the formal risk
analysis, develop recommendations, and present the final report. The chap-
ter discusses a process for performing the risk analysis by calculating a risk
score. This calculation takes into account a number of factors related to
risk, including potential impact to the business, the probability of a security
breach, and the existing controls to mitigate the risks. This chapter also
discusses the importance of the final report, as it is the only tangible work
product resulting from the assessment.
Chapter 9. Information Security Standards
— At this point, the discussion
of the methodology is complete. This chapter discusses some key standards
that are relevant for information security. Some of the standards discussed
include International Standards Organization (ISO) 17799 and COBIT.
Chapter 10. Information Security Legislation —
This chapter contains short
descriptions of key recent legislation that has a bearing on information
security. It is important to be well informed about these laws, as they might
affect the company where you are conducting a security assessment.
Appendices. Security Questionnaires —
The Appendices contain question-
naires to help information security practitioners in conducting security
assessments. Questionnaires for key areas of information security are
included, as well as generic questionnaires designed to help you gather
information in the early stages of a security assessment. These question-
naires are structured to provide “guidance” so that practitioners understand
the relevance of a given question. They can be modified to meet the needs
of the specific company where a security assessment is being performed.
AU1706_book.fm Page 4 Wednesday, July 28, 2004 11:06 AM