What is a Security Assessment?

Security Assessments are a way to increase information technology (IT) security for your business.

Assessments are done with all of an organization's computers and servers and business processes. They are helpful in making an organization aware of IT security issues that may exist within their systems. The System Assessor (SA) needs the full cooperation of an organization being assessed. Once the organization grants the SA access to its facilities, provides network access, and outlines detailed information about the network, the SA is able to study security and identify improvements to make the systems secure.

The assessment methodology includes the following steps.

• Requirement Study and Situation Analysis
  • This includes initial research of your company’s policies and procedures, applicable laws, and security best practices. The SA then creates a scope document. The scope document includes an assessment strategy, which outlines what is to be looked at and how it will be handled in addition to an assessment checklist. The scope document is signed and approved by the data owner.
• Entrance Conference
  • In the entrance conference the scope document will be reviewed with key personnel as well as the assessment process, assessment roles, and the time frame for the assessment.
• Fieldwork
  • Fieldwork is done in a systematic manner according to the previously developed checklist. The fieldwork will be defined in the scope document and can include any of a variety of assessments such as vulnerabilities, risk, compliance, controls, and gap analysis.
• The Report
  • The Assessment Report includes*:
    • Introduction of system being assessed and background information
    • Executive Summary and Management Summery
    • Scope and objectives of the assessment
    • Requirements for compliance*
    • Comparison against existing policies and procedures*
    • Limitations of the assessment
    • Tools and Methods used to run the assessment
    • Description of the network and current environment*
    • The vulnerability assessment results*
    • Risk assessment results include**:
      • Identification of assets
      • Identification of threats
      • Vulnerabilities
      • Impact and likelihood of risks
      • Risk results analysis
  * depending upon the scope
  ** Risk Assessment implies a vulnerability assessment
• Exit Conference
  • The exit conference will review the report with key personnel and answer questions about the findings. The scope document will be reviewed to demonstrate how the results align with the initial requirements set forth in the scope document.

The goal of a security assessment is to make sure that the necessary security controls are incorporated into an organizations process of doing business.

Professional Certifications for those who would handle your Security Assessments should include at least one of the following:

• Certified Information Systems Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)
• GIAC Systems and Network Auditor (GSNA)
• GIAC Certified ISO-17799 Specialist (G7799)

Case Study: Exchange Server Recovery

In extreme disaster scenarios, NSK Inc will get all of your data back to your fingertips as quickly as possible. Read More