Information Technology Security Assessment

From Wikipedia, the free encyclopedia

Information Technology Security Assessment (IT Security Assessment) is an explicit study to locate IT security vulnerabilities and risks.

Contents 1 Background 2 Methodology 3 Sample Report 4 Professional Certifications 5 External links

[edit] Background

In an assessment, the assessor should have the full cooperation of the organization being assessed. The organization grants access to its facilities, provides network access, outlines detailed information about the network, etc. All parties understand that the goal is to study security and identify improvements to secure the systems. An assessment is potentially the most useful of all security tests.

[edit] Methodology

The following methodology outline is put forward as the effective means in conducting security assessment.

• Requirement Study and Situation Analysis
• Document Review
• Risk Identification
• Vulnerability Scan
• Data Analysis
• Report & Briefing

[edit] Sample Report

Security Assessment Report should include the following information:

• Introduction/background information
• Executive and Management summary
• Assessment scope and objectives
• Assumptions and limitations
• Methods and assessment tools used
• Current environment or system description with network diagrams, if any
• Security requirements
• Summary of findings and recommendations
• The general control review result
• The vulnerability test results
• Risk assessment results including identified assets, threats, vulnerabilities, impact and likelihood assessment, and the risk results analysis
• Recommended safeguards

[edit] Professional Certifications

There are common vendor-neutral professional certifications for performing security assessment.

• CISSP
• CISA
• BS7799 Lead Auditor - ISO/IEC 27001:2005 Auditor/Lead Auditor

[edit] External links

• ISC2
• Informations Systems Audit and Control Association
• EC-Council
• SANS Institute