Assessment means different things to different people. This document will
attempt to explore what security assessment means, why should companies invest time
performing it and what should a security assessments contains. This paper will
also cover the important of having such assessment on a regular basis. Many
organizations now must follow regulations to be complaint with the government.
Although, government doesn’t instruct organization how to control or secure
their system, but they do require that those systems be secure. They require organizations
to prove to independent auditors
that their security and control infrastructure is in place and operating
What is Security
information security assessment is a measurement of the security posture of a
system or organization. The security posture is the way information security is
implemented. Security assessments are risk-based assessments, due to their
focus on vulnerabilities and impact. Security assessments rely on three main
assessment methods that are inter-related. Combined, the three methods can
accurately assess the Technology, People, and Process elements of security
(SANS, 2008). They are explained as follows: (Abdel-Aziz, 2018)
reviewing process method includes passive review and interviews, which are usually
conducted manually. This review help evaluating system, applications, networks,
policies and procedure to discover the vulnerabilities. This include the review
of documentation, architecture, rule-sets, and system configurations. The
reviewing method enables understanding of what is critical information &
systems are, and how the organization wants to focus on security.
method is a hands-on technical process that looks specifically at the
organization from a system and network level.
They identify security vulnerabilities that exist in those systems which
includes doing technical analysis of the firewalls, intrusion detection
systems, and routers. It also includes vulnerability scans of the customer’s
networks. The reviewing assessment method provides excellent information that
leads into future examinations.
often called penetration testing, it is a process whereby someone imitates an adversary
looking for security vulnerabilities, which allow the break in to a system or
network. Reviewing and examination methods provide excellent information that
leads into future testing. The below diagram illustrates the relations of each
method with each other:
Why Perform Security
have many reasons for performing a proactive and periodic approach to address security
concerns. Legal and regulatory requirements main objective is to protect sensitive
or personal data, as well as general public security requirements. Information
security should be one of the highest priority for any company and they must
devote the utmost attention to information security risk. An IT security risk
assessment takes on many names and can vary greatly in terms of method, rigor
and scope, but the core goal remains the same: identify and quantify the risks
to the organization’s information assets. Some areas of rationale for
performing an enterprise security risk assessment include: (Schmittling, 2018)
Adding information security is expensive and it is really hard to provide justification
on how it is helping organization makes more profit. IT security risk
assessment process should educate key business managers on the most critical
risks associated with the use of technology, and automatically and directly
provide justification for security investments.
security risk assessment must bring productivity of IT operations, security and
audit. By taking steps to formalize a review, create a review structure,
collect security knowledge within the systems knowledge base and implement
self-analysis features, the risk assessment can boost productivity.
To be most effective, security must be addressed by organizational management
as well as the IT staff. Organizational management is responsible for making
decisions that relate to the appropriate level of security for the
organization. The IT staff, on the other hand, is responsible for making
decisions that relate to the implementation of the specific security
requirements for systems, applications, data and controls.
The security risk assessment system must always be simple enough to use,
without the need for any security knowledge or IT expertise. This will allow
management to take ownership of security for the organization’s systems,
applications and data. It also enables security to become a more significant
part of an organization’s culture.
By gathering information from multiple parts of an organization, an enterprise
security risk assessment boosts communication and expedites decision making.
Characteristics of sound
is important to understand the difference between the risk management process
and any given security assessment process. Risk management is the overall process
that includes the security assessment, development and implementation of a
security plan. On the other hand, security assessment is the estimation of risk
for the purpose of decision making.
assessment methodologies can be very useful analytic tools to integrate data
into information which can help understand the nature and locations of risk of
the system. However, security assessment should not be taken as the key method to
establish risk nor it should be taken solely to determine decisions about how
risk needs to be addressed. Security assessments methods should be used as part
of a process that involves knowledgeable and experienced personnel that
critically review the input, assumptions, and results. The security assessments
should integrate the security assessment output with other factors, the impact
of key assumptions, and the impact of uncertainties created by the absence of
data or the variability in assessment inputs before arriving at decisions about
risk and actions to reduce risk. (Nrc.gov, 2018)
it is the responsibility of the company to choose the security assessment
method that best meets their requirements. Security policies must help
facilities and agencies tasked with providing additional security in times of
imminent danger. Therefore, it is in the best interest of the company to
develop a thorough understanding of the various security assessment methods in
use and available before selecting a long-term strategy. A security assessment
should be: (Nrc.gov, 2018)
underlying methodology must be structured to provide a thorough assessment.
Some methodologies employ a more rigid structure than others. More flexible
structures may be easier to use; however, they generally require more input
from subject matter experts. Security assessment methods identify and use logic
to determine how the data considered contributes to risk in terms of affecting
the likelihood and/or consequences of potential incidents.
Given Adequate resources: A
team of experts/personnel, time, and financial resources must be allocated to
match the level of the assessment.
Experienced based: The frequency and
severity of past security related issues and potential future issues must be
taken in consideration. It is important to understand and document any actions
that have been made to prevent security related events. It is important to
understand and document any actions that have been made to prevent security
related events. The security assessment should consider the system-specific
data and other knowledge about the system that has been acquired by field,
operations, and engineering personnel as well as external expertise.
The security assessment should be investigative in nature, seeking to identify
recognized as well as previously unrecognized threats to the facility service
and integrity. It should utilize the information available of previous security
related issues, but also focus on the potential for future security issues,
including the likelihood of scenarios that may never have happened before.
Based on the use of appropriate data: Some security assessment decisions are simply
a judgment calls. However, relevant information and particularly data about the
system under review should affect the confidence level placed in the decisions.
Able to provide for and identify
means of feedback: Security assessment is an iteractive
process. Actual field drills, audits, and data collection efforts from both
internal and external sources should be used to validate if it works.
Importance of Periodic Security
information security assessment is important because it provides a road map for
the implementation, evaluation and improvement of information security
practices. As an organization implements its framework, it will be able to
articulate goals and drive ownership of them, evaluate the security of
information over time, and determine the need for additional measures.
about security like finance department thinks about money. Just as accounting
system has checks and balances to help prevent fraud and embezzlement, IT
security policies need to have checks and balances to help prevent intentional
and unintentional security compromises.
must conduct periodic security assessments internally so long as best practices
are followed and a good set of checks and balances is kept. Having an
independent third party do some of security assessments is the check and
balance on the internal audit themselves and in fact, checking that all of the
security policies and procedures are working as expected. (Appliedtrust.com,
organization must have a solid base for its information security framework. The
risks and vulnerabilities to the organization will change over time; however,
if the organization continues to follow its framework, it will be in a good
position to address any new risks and/or vulnerabilities that arise.
best practices that is the utmost important is the support of senior
management, but few documents clarify how that support is to be given. This
represents the biggest challenge for any organization as security initiatives
will be addressed or prioritizes based on the upper management involvement and
knowledge. (Schmittling, 2018)
Risk Assessment is something that is important for all organization regardless
of how big or small they are. It helps organization to have road map of how to
handle current and potential future risks and improve current process or