Sep 01 2009

Audit of security control and scoping

Category: Risk Assessment,Security ComplianceDISC @ 3:53 pm

scope

Information Technology Control and Audit

The audit is utilized as a tool to check compliance control based on standards such as ISO 27002 or NIST 800-53 etc. Some other terms which are not sometime rigorous audit have been used to asses controls are gap analysis, benchmarking and control review.

Scoping sets the boundaries of the audit, where dependencies are marked and exclusions are sorted out.

The consultant/team lead that has a thorough understanding of security risk management ought to carry out these reviews. The quality of the work depends on correct scoping, fieldwork assignment, and appropriately reporting the findings to management.

Team lead should have a clear understanding of audit scope before the initial briefing to client. Basically what exactly the client wants and who are the target audiences in the final report and presentation. Clear understanding of the scope includes making sure that the whole organization is included in the audit or just part of it. Before starting an audit, the auditor should have a complete list of assets included in the scope. Sort the assets list into different group of infrastructure which could be handed over to technical consultant for validation of the controls. At this point team lead should point out to technical consultant, the minimum number of assets which are required to be validated to satisfy sampling requirement.

Scope of final report/presentation should be clear regarding the list of non-compliance, prioritized recommendation or action plans which needs to be included in the report. During presentation of the findings, and to keep C level folks interested in the presentation, presenter needs to relate the findings to business risk and avoid using security acronym.

Scoping will take into account the length of the time available for field work, analysis, reporting and size and competence of the team to perform a successful audit. Especially if limited time is available for field work, the competence of the team matter to cover various infrastructure, to validate and document the controls effectively.


Tags: assessment profile, assessment scope, iso 27002, NIST 800-53, security audit, security control, security review, Security Risk Assessment

Nov 26 2008

Cyber threats and overall security assessment

Category: Information Warfare,Risk AssessmentDISC @ 3:13 am

The main screen showing star names (color-code...
Image via Wikipedia

In the past when senior management (execs) needed to understand the financial implication of cyber threats and their exposures, they turned their questionnaires toward IT for relevant answers. In other words IT risk assessment was the answer in the past to understand the financial implications of cyber threats. The IT risk assessment is not the comprehensive or overall assessment of the company to understand the total implications of cyber threats. The overall assessment will not only include IT but also other departments like HR and legal etc… Basically cyber threats are neither IT issue and nor a legal or HR issue any more, it’s simply an enterprise management issue.

In old days the firewall was used as a major defense against potential cyber threats. The new cyber threats are sophisticated enough to demand better defense. New threats (virus, adware, worms, Trojan, spyware, spam, phishing) use modern techniques to bypass defenses. The potential risks of these new threats demand an immediate attention (of CFO or higher) and approval for resource allocation to protect against cyber threats. To make a solid business case for security ROI, senior level execs need to know the overall risk they are reducing, and their highest priority.

[TABLE=12]

ANSI and ISA have jointly released a document to assist senior management to prepare for financial implications for cyber threats. Basic essence of the guide is to provide a tool to execs to understand the financial implications of potential cyber threats to their organizations.

“The 40 page guide was put together by task force of risk management execs from more than two dozen organizations. The new guide offered by ANSI and the ISA recommends that CFO ask their various team’s questions about the biggest threats to data confidentiality, integrity and availability,” to get to know the existing controls in place and any relevant mitigation plan. Risk analysis of this information can help execs to map the cyber threats risks into correct financial terms and make better resource allocation.
The senior execs who want to implement information security as a process in their organization should consider ISO 27001 (ISMS) as a best practice, which provides a reasonable on-going due diligence to protect and safeguard organization data.

Reblog this post [with Zemanta]

Tags: availability, Business, Chief financial officer, cyber threats, data confidentiality, exposure, Financial services, Human resources, Insurance, integrity, isms, ISO/IEC 27001, Management, overall assessment, risk analysis, Risk Assessment, Risk management, roi, Security

Aug 08 2008

Risk Assessment and System Profiling

Category: Risk AssessmentDISC @ 2:39 am

In real estate it’s all about location and the same way to succeed in information security risk assessment, it’s all about precise profiling of a system under review. The system profile sets the boundaries of an assessment and the reviewer includes or excludes assets in the review based on their criticality and sensitivity and the business objective of an assessment. A poorly defined system profile will result in a poor quality risk assessment effort, and puts the system at unnecessary risk. A well defined system profile covers all the unacceptable risks to the system and hence is the precursor to a successful risk assessment.


In order to understand business and operational risks, before setting up the scope of an assessment the system under review needs to be profiled with the business owner or system custodian.  For an effective system profile, it is necessary to understand the objective of an assessment, needs driving the project and any inherent threats and weaknesses to the system. In a system profile the reviewer finds out all the main business functions performed by the system and its contribution to the key business objectives is determined. These business objectives will drive the data classification and system criticality of the system profile.  The business impact rating is determined based on financial, operational, technological and physical threats to the confidentiality, integrity and availability of the system


System Interdependencies and Interfaces:


System boundaries identify where one system begins and other one ends. Determining all the interfaces to other systems is an important part of profiling the system. An interface is a connection between two systems, so most systems have multiple interfaces. The reviewer needs to determine what kind of communication and authentication protocols are utilized in the interfaces and how often the passwords are changed on these interfaces. To cover all the related interdependencies of a system, all the relevant application, operating systems, hardware, communication protocol, network topology, dataflow architecture needs to be profiled.  All the applications and operating systems (current release, life cycle, patch cycle) authentication and authorization details need to be evaluated as well. (Who needs authorized access, how often, and are there any exceptions?)


The best way to gather relevant information for an accurate profile is to conduct on-site interviews with the business owner and relevant subject matter experts. In addition, questionnaires, document review and scanning tools can be utilized as well.  Based on the system criticality and data classification and all the other relevant threats to the system, the overall business risk to the system is determined which is based on a (high, medium and low) scale. A carefully done system profile is integral to a sound risk assessment and ensures a common understanding of the system under review. Several business functions can utilize this valuable data and valid security decisions can be made.


 Information Security Books


Internet Security



httpv://www.youtube.com/watch?v=np1kSQHH0uM

Tags: classification, criticality, current release, interdependencies, interfaces, life cycle, patch cycle, protocols, sensitivity, threats, valuable data

« Previous Page