Computer Science Wk 2 assignment
Please see attachment for instructions
a year ago 20
WK2AssignmentInstructions.docx
Information_Security_Design_Implementation_Measure..._----_Chapter_3._Developing_an_Information_Security_Evaluation_ISE_Proces....pdf
WK2AssignmentInstructions.docx
provide a one-page response to the following topic below utilizing supporting documentation obtained from your textbooks and the Internet. Be sure to include an APA Reference Page
Topic: Assess the various Access Control methods.
Information_Security_Design_Implementation_Measure..._----_Chapter_3._Developing_an_Information_Security_Evaluation_ISE_Proces....pdf
49
3
Developing an Information Security Evaluation (ISE™) Process
The information security evaluation (ISE™) process is a marriage between the ISRAM™ (Information Security Risk Assessment Model) and the GISAM™ (Glo- bal Information Security Assessment Methodology) into a cohesive business process delivering an accurate and reliable assessment of an organization’s information security program.
The rationale for developing a formal business process is to ensure that a repeatable process is delivered for each GISAM assessment, ensuring accuracy and reliability of risk management information. In a large organization this can have tremendous impact on the success of the assessment process. By having a formal and documented process, the business has an opportunity to train information secu- rity professionals as well as the business stakeholders who will be reviewing the GISAM reports. These concepts hold true whether the assessments are delivered internally or a professional services or consulting company offers this type of assessment as a service.
Supporting documentation and systems can be developed to help business man- agers interpret information security findings and analysis because this type of infor- mation can be complex and overwhelming to non-information security or non-risk management professionals. I have personally developed several helper documents targeting various groups in an effort to help the target audience understand and apply the information and report data more effectively. As you begin developing your own material and assessments, the development of these types of documents will naturally unfold.
THE CULMINATION OF ISRAM AND GISAM
The ISRAM and GISAM are only one part of the equation when developing and implementing formal information security risk assessments. The model provides the context for a suitable assessment methodology to be designed and developed. The assessment method must accurately reflect all of the organizational requirements and still adhere to the principles of the model. The system or environment being assessed is the key driver for the type and scope of information security risk assess- ment method. The assessment method should adhere to the model but still factor in specific organizational requests and requirements.
AU7087_C003.fm Page 49 Thursday, April 27, 2006 3:31 PM
Layton, Timothy P.. Information Security : Design, Implementation, Measurement, and Compliance, Auerbach Publishers, Incorporated, 2006. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=267956. Created from apus on 2025-04-18 02:44:42.
C op
yr ig
ht ©
2 00
6. A
ue rb
ac h
P ub
lis he
rs , I
nc or
po ra
te d.
A ll
rig ht
s re
se rv
ed .
50
Information Security
One of the best ways to accomplish this is to ensure that there is an executive sponsor on board and that all of the necessary resources and business elements are involved in the scope statement. Representatives from human resources, legal, com- pliance, internal audit, risk management, and business heads are all logical choices for involvement.
BUSINESS PROCESS
Independent of business process mechanics and technology, a professional still must deliver the GISAM, and he or she will be communicating and interacting with a wide array of people within the organization. By having a well-documented assess- ment delivery process, management can be assured of the assessment scope and expected output results.
S
TEP
1: D
OCUMENTATION
Documentation describing the scope and intent of the pending information security risk assessment should be developed and presented to target representatives well in advance of the assessment date. This should be included in an introduction type document and capable of standing on its own. Special care should be taken to write the document in straightforward business language and explain at a reasonable level of detail what is involved in the assessment process.
I am not sure anyone is happy and anxious to have their organization evaluated by an outsider, much less by internal audit. This is a key thought to keep in mind when setting up meetings for the assessment. Typically executive management has secured a firm to conduct the assessment, or it could be a function of internal audit in larger organizations. Whether you call it a review, an assessment, or the nasty
audit
word, people in general have their guards up and would rather go to the dentist than talk with you. One method that usually helps calm everyone’s nerves is to have a well-documented process and provide the target audience with a concise and streamlined account of the upcoming process, activities, and expectations.
A sample meeting agenda should be developed and provided to the main point of contact within the target group. The sample agenda should be fully documented with times, meeting topics, and resource names. They should be instructed to replace the fictitious names with the actual names of company representatives who will be attending the assessment. The GISAM is logically broken up into 11 topical areas because of the security clauses in the ISO/IEC 17799:2005 (27002). Most U.S. organizations do not have a working knowledge of the security clause domains within the standard and the terms will likely sound very foreign to them. Special care should be taken to develop an overview of the 11 domains and give them some working examples to help them apply these terms and phrases to their organization. The meeting agenda should track with the flow of the GISAM. One easy way to accomplish this is to simply follow the flow of the 11 ISO/IEC 17799:2005 (27002) main security clauses.
The information security assessment professional will have a much easier time on site conducting the assessment and interviews if everyone has a predisclosed
AU7087_C003.fm Page 50 Thursday, April 27, 2006 3:31 PM
Layton, Timothy P.. Information Security : Design, Implementation, Measurement, and Compliance, Auerbach Publishers, Incorporated, 2006. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=267956. Created from apus on 2025-04-18 02:44:42.
C op
yr ig
ht ©
2 00
6. A
ue rb
ac h
P ub
lis he
rs , I
nc or
po ra
te d.
A ll
rig ht
s re
se rv
ed .
Developing an Information Security Evaluation (ISE™) Process
51
understanding of the topics, time requirements, and level of resources required to attend the personal interviews.
A separate document could be developed providing an overview of the 11 main security clauses and the type of resources normally responsible for these areas. Whether the information security assessment is internal or external, nothing is more damaging than having the wrong people available during the assessment process. A good approach to help minimize this type of error is to have the target group assign responsible parties for each of the 11 main security clauses in addition to having them assign resources to the areas within the meeting agenda. The responsible party could be potentially different from the people who will be interviewed during the assessment process.
A short questionnaire should be developed and delivered to the target group along with the rest of the assessment documents. A few select key questions in the 11 main security clause areas can go a long way toward helping the information security professional understand where the organization stands before being sur- prised once the assessment process begins. You can refer to Chapters 7 through 17 and use some of the questions presented for each of the 133 controls in your questionnaire. Also, you may want to align your questions around the KRI or security baseline controls to help give you a perspective on the target organization’s infor- mation security program. It is not advisable that you list these controls as the security baseline or KRI controls until the time of the review. It is possible that an organization could use this knowledge to skew the outcome of the assessment.
S
TEP
2: D
OCUMENTATION
R
EVIEW
Once the target resources have completed the initial documentation, they should be asked to send it back to a point of contact on the risk assessment team. From there the information security assessment professional should receive and ultimately review all of the returned documentation to ensure the validity of the information provided and verify that enough information was provided to ensure a successful on-site assessment. If the documentation does not meet the information security professional’s expectation, action should be taken to help close this gap as quickly as possible. A careful review should be performed on the meeting agenda to ensure that all of the correct resources will be available for the upcoming meetings.
S
TEP
3: N
EGOTIATE
M
EETING
A
GENDA
The meeting agenda is one of the most critical documents in the entire assessment process. It has the potential to make the assessment painless and straightforward as well as the potential to derail the process to the point of creating gaps or even failure. Special care should be taken to ensure that all vested parties have the appropriate expectations about the upcoming meetings and that the correct resources will be available during the assessment.
AU7087_C003.fm Page 51 Thursday, April 27, 2006 3:31 PM
Layton, Timothy P.. Information Security : Design, Implementation, Measurement, and Compliance, Auerbach Publishers, Incorporated, 2006. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=267956. Created from apus on 2025-04-18 02:44:42.
C op
yr ig
ht ©
2 00
6. A
ue rb
ac h
P ub
lis he
rs , I
nc or
po ra
te d.
A ll
rig ht
s re
se rv
ed .
52
Information Security
S
TEP
4: P
ERFORM
GISAM
The assessment actually beings when the information security assessment profes- sional shows up on site and begins the meeting process with the target resources. Typically it is a good idea to hold a kickoff meeting to make introductions and set expectations for the upcoming interviews and activities. After the initial meeting it is important to only meet with the responsible parties for each of the 11 main security clauses and keep the number of people in the meetings to a minimum. It can be very distracting and produce inaccurate results if multiple people are attempting to answer the same question.
The GISAM is broken down into five main activities: introduction, network architecture review, tour of data center and facilities, controls review, and control validation.
The introduction was described in the above paragraph. The other thing to note is that this is a critical time of the assessment because first impressions are critical and perceptions will likely be difficult to change after this time. It is always a good idea to make the target group feel comfortable and at ease.
Next, the network architecture review should be conducted with the appropriate network resources. In Chapter 2 in the “Network Security Architecture Evaluation” section, the scope of this portion of the assessment was reviewed and discussed. This is a critical part of the review because every organization is concerned about how confidential data is stored, processed, and transported. The local and wide area network is the vehicle most often used for these activities. If the assessing organi- zation has control standards or security policies to be enforced around data protec- tion, this section of the assessment becomes even more important and potentially critical. The time required to perform the network architecture review varies based on the complexity of the network and the amount of confidential data being trans- ported, processed, or stored in the network.
Taking a tour of the facilities and data center is a key component to understanding the state of the physical and environmental controls that will be assessed in the upcoming controls review. During this walkthrough, the information security pro- fessional should be taking written and mental notes to discuss later in the assessment as appropriate. This portion of the assessment can take as little as 30 minutes or, depending on the size of the facilities and data center, it can take substantially longer.
Next, the individual interviews should occur for each of the 11 main security clauses as agreed on in the meeting agenda. For most organizations, reviewing the 133 controls can be accomplished in about one day, or possibly a little longer depending on a number of variables. At this point, a total of one and a half days have expired and the remaining on-site activities involve the validation of controls.
The process of validation is up to the assessing organization, but it is highly recommended for a select number of controls. A good foundation for validation is the 35 KRI controls. It is important that KRI controls are validated to the level of effectiveness that they were rated during the assessment. The KRI controls have the ability to impact the overall risk rating for the assessment, and it is logical to assume that executive management would want confirmation on the state of these critical controls. This is something that will have to be decided on in the scope of each
AU7087_C003.fm Page 52 Thursday, April 27, 2006 3:31 PM
Layton, Timothy P.. Information Security : Design, Implementation, Measurement, and Compliance, Auerbach Publishers, Incorporated, 2006. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=267956. Created from apus on 2025-04-18 02:44:42.
C op
yr ig
ht ©
2 00
6. A
ue rb
ac h
P ub
lis he
rs , I
nc or
po ra
te d.
A ll
rig ht
s re
se rv
ed .
Developing an Information Security Evaluation (ISE™) Process
53
assessment. Typically, the enterprise compliance or corporate information security function will have strong feelings about this one way or the other. Be sure to include all appropriate people and roles within the organization before making any decisions on this.
S
TEP
5: A
NALYSIS
AND
F
INDINGS
After the on-site portion of the assessment is complete, the information security professional must analyze all of his or her notes and assessment data before assigning the overall risk rating. Each control is reviewed very closely with special attention on the KRI controls and the network architecture portions of the review. Special care should be taken for any control that is rated as a level 3 or below because management must be able to understand the identified risks and create an action plan to eliminate or reduce the gap to an acceptable level. This part of the assessment can take several days to complete depending on the complexity of the data and the amount of controls that received a low rating. The information security assessment professional must keep in mind that business leaders were not present during the assessment and the only information they receive on the cited risks is the information provided in the final report. The analysis, findings, and recommendations should be written in a business type format and targeted at non-security professionals.
S
TEP
6: P
EER
R
EVIEW
The last recommended step before providing the final report to the target group, or to the management of the target group, is to have a peer review the findings and analysis. Having a peer review the assessment adds one more layer of assurance that the information and analysis included in the report are accurate, understandable, and credible. It is highly advisable for organizations to include a peer review process for these types of assessments.
S
TEP
7: S
UBMIT
GISAM F
INAL
R
EPORT
The GISAM final report is the culmination of everyone’s effort and the only portion of the product that executive management and key stakeholders will see. In the second chapter in the “Reporting” section, a listing of suggested report elements was described and provided for consideration. Whatever the final report sections turn out to be, it is important that the reports are consistent and delivered in the same way to ensure consistency. The information included in the GISAM final report is highly sensitive and considered confidential by most. Therefore, it is critical that the reports are provided to only the appropriate parties and that any copies of them are protected by appropriate controls. Information and data in these reports could lead to devastating events for the organization if the noted vulnerabilities were exploited.
It is a good idea to hold a postreview meeting with all of the appropriate stakeholders and the information security assessment professional to discuss the key points and findings of the assessment. The information security assessment profes- sional is closest to the review and has the most comprehensive knowledge about the
AU7087_C003.fm Page 53 Thursday, April 27, 2006 3:31 PM
Layton, Timothy P.. Information Security : Design, Implementation, Measurement, and Compliance, Auerbach Publishers, Incorporated, 2006. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=267956. Created from apus on 2025-04-18 02:44:42.
C op
yr ig
ht ©
2 00
6. A
ue rb
ac h
P ub
lis he
rs , I
nc or
po ra
te d.
A ll
rig ht
s re
se rv
ed .
54
Information Security
identified risks. It is highly likely that management may want or need more infor- mation to help prioritize risk management activities. Readers of the GISAM report should have read through the report and taken notes on key topics requiring more information before the group meeting is scheduled and held.
S
TEP
8: R
EMEDIATION
At this point, the appropriate management personnel and key stakeholders should have a current copy of the GISAM report and have read through the entire report. After the postreview meeting, it is up to executive management and key stakeholders to address the findings and analysis of the GISAM report according to their risk management strategy. For obvious reasons, the information security assessment professional should not be included in the remediation or risk management process.
AU7087_C003.fm Page 54 Thursday, April 27, 2006 3:31 PM
Layton, Timothy P.. Information Security : Design, Implementation, Measurement, and Compliance, Auerbach Publishers, Incorporated, 2006. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=267956. Created from apus on 2025-04-18 02:44:42.
C op
yr ig
ht ©
2 00
6. A
ue rb
ac h
P ub
lis he
rs , I
nc or
po ra
te d.
A ll
rig ht
s re
se rv
ed .
WK2AssignmentInstructions.docx
provide a one-page response to the following topic below utilizing supporting documentation obtained from your textbooks and the Internet. Be sure to include an APA Reference Page
Topic: Assess the various Access Control methods.
Information_Security_Design_Implementation_Measure..._----_Chapter_3._Developing_an_Information_Security_Evaluation_ISE_Proces....pdf
49
3
Developing an Information Security Evaluation (ISE™) Process
The information security evaluation (ISE™) process is a marriage between the ISRAM™ (Information Security Risk Assessment Model) and the GISAM™ (Glo- bal Information Security Assessment Methodology) into a cohesive business process delivering an accurate and reliable assessment of an organization’s information security program.
The rationale for developing a formal business process is to ensure that a repeatable process is delivered for each GISAM assessment, ensuring accuracy and reliability of risk management information. In a large organization this can have tremendous impact on the success of the assessment process. By having a formal and documented process, the business has an opportunity to train information secu- rity professionals as well as the business stakeholders who will be reviewing the GISAM reports. These concepts hold true whether the assessments are delivered internally or a professional services or consulting company offers this type of assessment as a service.
Supporting documentation and systems can be developed to help business man- agers interpret information security findings and analysis because this type of infor- mation can be complex and overwhelming to non-information security or non-risk management professionals. I have personally developed several helper documents targeting various groups in an effort to help the target audience understand and apply the information and report data more effectively. As you begin developing your own material and assessments, the development of these types of documents will naturally unfold.
THE CULMINATION OF ISRAM AND GISAM
The ISRAM and GISAM are only one part of the equation when developing and implementing formal information security risk assessments. The model provides the context for a suitable assessment methodology to be designed and developed. The assessment method must accurately reflect all of the organizational requirements and still adhere to the principles of the model. The system or environment being assessed is the key driver for the type and scope of information security risk assess- ment method. The assessment method should adhere to the model but still factor in specific organizational requests and requirements.
AU7087_C003.fm Page 49 Thursday, April 27, 2006 3:31 PM
Layton, Timothy P.. Information Security : Design, Implementation, Measurement, and Compliance, Auerbach Publishers, Incorporated, 2006. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=267956. Created from apus on 2025-04-18 02:44:42.
C op
yr ig
ht ©
2 00
6. A
ue rb
ac h
P ub
lis he
rs , I
nc or
po ra
te d.
A ll
rig ht
s re
se rv
ed .
50
Information Security
One of the best ways to accomplish this is to ensure that there is an executive sponsor on board and that all of the necessary resources and business elements are involved in the scope statement. Representatives from human resources, legal, com- pliance, internal audit, risk management, and business heads are all logical choices for involvement.
BUSINESS PROCESS
Independent of business process mechanics and technology, a professional still must deliver the GISAM, and he or she will be communicating and interacting with a wide array of people within the organization. By having a well-documented assess- ment delivery process, management can be assured of the assessment scope and expected output results.
S
TEP
1: D
OCUMENTATION
Documentation describing the scope and intent of the pending information security risk assessment should be developed and presented to target representatives well in advance of the assessment date. This should be included in an introduction type document and capable of standing on its own. Special care should be taken to write the document in straightforward business language and explain at a reasonable level of detail what is involved in the assessment process.
I am not sure anyone is happy and anxious to have their organization evaluated by an outsider, much less by internal audit. This is a key thought to keep in mind when setting up meetings for the assessment. Typically executive management has secured a firm to conduct the assessment, or it could be a function of internal audit in larger organizations. Whether you call it a review, an assessment, or the nasty
audit
word, people in general have their guards up and would rather go to the dentist than talk with you. One method that usually helps calm everyone’s nerves is to have a well-documented process and provide the target audience with a concise and streamlined account of the upcoming process, activities, and expectations.
A sample meeting agenda should be developed and provided to the main point of contact within the target group. The sample agenda should be fully documented with times, meeting topics, and resource names. They should be instructed to replace the fictitious names with the actual names of company representatives who will be attending the assessment. The GISAM is logically broken up into 11 topical areas because of the security clauses in the ISO/IEC 17799:2005 (27002). Most U.S. organizations do not have a working knowledge of the security clause domains within the standard and the terms will likely sound very foreign to them. Special care should be taken to develop an overview of the 11 domains and give them some working examples to help them apply these terms and phrases to their organization. The meeting agenda should track with the flow of the GISAM. One easy way to accomplish this is to simply follow the flow of the 11 ISO/IEC 17799:2005 (27002) main security clauses.
The information security assessment professional will have a much easier time on site conducting the assessment and interviews if everyone has a predisclosed
AU7087_C003.fm Page 50 Thursday, April 27, 2006 3:31 PM
Layton, Timothy P.. Information Security : Design, Implementation, Measurement, and Compliance, Auerbach Publishers, Incorporated, 2006. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=267956. Created from apus on 2025-04-18 02:44:42.
C op
yr ig
ht ©
2 00
6. A
ue rb
ac h
P ub
lis he
rs , I
nc or
po ra
te d.
A ll
rig ht
s re
se rv
ed .
Developing an Information Security Evaluation (ISE™) Process
51
understanding of the topics, time requirements, and level of resources required to attend the personal interviews.
A separate document could be developed providing an overview of the 11 main security clauses and the type of resources normally responsible for these areas. Whether the information security assessment is internal or external, nothing is more damaging than having the wrong people available during the assessment process. A good approach to help minimize this type of error is to have the target group assign responsible parties for each of the 11 main security clauses in addition to having them assign resources to the areas within the meeting agenda. The responsible party could be potentially different from the people who will be interviewed during the assessment process.
A short questionnaire should be developed and delivered to the target group along with the rest of the assessment documents. A few select key questions in the 11 main security clause areas can go a long way toward helping the information security professional understand where the organization stands before being sur- prised once the assessment process begins. You can refer to Chapters 7 through 17 and use some of the questions presented for each of the 133 controls in your questionnaire. Also, you may want to align your questions around the KRI or security baseline controls to help give you a perspective on the target organization’s infor- mation security program. It is not advisable that you list these controls as the security baseline or KRI controls until the time of the review. It is possible that an organization could use this knowledge to skew the outcome of the assessment.
S
TEP
2: D
OCUMENTATION
R
EVIEW
Once the target resources have completed the initial documentation, they should be asked to send it back to a point of contact on the risk assessment team. From there the information security assessment professional should receive and ultimately review all of the returned documentation to ensure the validity of the information provided and verify that enough information was provided to ensure a successful on-site assessment. If the documentation does not meet the information security professional’s expectation, action should be taken to help close this gap as quickly as possible. A careful review should be performed on the meeting agenda to ensure that all of the correct resources will be available for the upcoming meetings.
S
TEP
3: N
EGOTIATE
M
EETING
A
GENDA
The meeting agenda is one of the most critical documents in the entire assessment process. It has the potential to make the assessment painless and straightforward as well as the potential to derail the process to the point of creating gaps or even failure. Special care should be taken to ensure that all vested parties have the appropriate expectations about the upcoming meetings and that the correct resources will be available during the assessment.
AU7087_C003.fm Page 51 Thursday, April 27, 2006 3:31 PM
Layton, Timothy P.. Information Security : Design, Implementation, Measurement, and Compliance, Auerbach Publishers, Incorporated, 2006. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=267956. Created from apus on 2025-04-18 02:44:42.
C op
yr ig
ht ©
2 00
6. A
ue rb
ac h
P ub
lis he
rs , I
nc or
po ra
te d.
A ll
rig ht
s re
se rv
ed .
52
Information Security
S
TEP
4: P
ERFORM
GISAM
The assessment actually beings when the information security assessment profes- sional shows up on site and begins the meeting process with the target resources. Typically it is a good idea to hold a kickoff meeting to make introductions and set expectations for the upcoming interviews and activities. After the initial meeting it is important to only meet with the responsible parties for each of the 11 main security clauses and keep the number of people in the meetings to a minimum. It can be very distracting and produce inaccurate results if multiple people are attempting to answer the same question.
The GISAM is broken down into five main activities: introduction, network architecture review, tour of data center and facilities, controls review, and control validation.
The introduction was described in the above paragraph. The other thing to note is that this is a critical time of the assessment because first impressions are critical and perceptions will likely be difficult to change after this time. It is always a good idea to make the target group feel comfortable and at ease.
Next, the network architecture review should be conducted with the appropriate network resources. In Chapter 2 in the “Network Security Architecture Evaluation” section, the scope of this portion of the assessment was reviewed and discussed. This is a critical part of the review because every organization is concerned about how confidential data is stored, processed, and transported. The local and wide area network is the vehicle most often used for these activities. If the assessing organi- zation has control standards or security policies to be enforced around data protec- tion, this section of the assessment becomes even more important and potentially critical. The time required to perform the network architecture review varies based on the complexity of the network and the amount of confidential data being trans- ported, processed, or stored in the network.
Taking a tour of the facilities and data center is a key component to understanding the state of the physical and environmental controls that will be assessed in the upcoming controls review. During this walkthrough, the information security pro- fessional should be taking written and mental notes to discuss later in the assessment as appropriate. This portion of the assessment can take as little as 30 minutes or, depending on the size of the facilities and data center, it can take substantially longer.
Next, the individual interviews should occur for each of the 11 main security clauses as agreed on in the meeting agenda. For most organizations, reviewing the 133 controls can be accomplished in about one day, or possibly a little longer depending on a number of variables. At this point, a total of one and a half days have expired and the remaining on-site activities involve the validation of controls.
The process of validation is up to the assessing organization, but it is highly recommended for a select number of controls. A good foundation for validation is the 35 KRI controls. It is important that KRI controls are validated to the level of effectiveness that they were rated during the assessment. The KRI controls have the ability to impact the overall risk rating for the assessment, and it is logical to assume that executive management would want confirmation on the state of these critical controls. This is something that will have to be decided on in the scope of each
AU7087_C003.fm Page 52 Thursday, April 27, 2006 3:31 PM
Layton, Timothy P.. Information Security : Design, Implementation, Measurement, and Compliance, Auerbach Publishers, Incorporated, 2006. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=267956. Created from apus on 2025-04-18 02:44:42.
C op
yr ig
ht ©
2 00
6. A
ue rb
ac h
P ub
lis he
rs , I
nc or
po ra
te d.
A ll
rig ht
s re
se rv
ed .
Developing an Information Security Evaluation (ISE™) Process
53
assessment. Typically, the enterprise compliance or corporate information security function will have strong feelings about this one way or the other. Be sure to include all appropriate people and roles within the organization before making any decisions on this.
S
TEP
5: A
NALYSIS
AND
F
INDINGS
After the on-site portion of the assessment is complete, the information security professional must analyze all of his or her notes and assessment data before assigning the overall risk rating. Each control is reviewed very closely with special attention on the KRI controls and the network architecture portions of the review. Special care should be taken for any control that is rated as a level 3 or below because management must be able to understand the identified risks and create an action plan to eliminate or reduce the gap to an acceptable level. This part of the assessment can take several days to complete depending on the complexity of the data and the amount of controls that received a low rating. The information security assessment professional must keep in mind that business leaders were not present during the assessment and the only information they receive on the cited risks is the information provided in the final report. The analysis, findings, and recommendations should be written in a business type format and targeted at non-security professionals.
S
TEP
6: P
EER
R
EVIEW
The last recommended step before providing the final report to the target group, or to the management of the target group, is to have a peer review the findings and analysis. Having a peer review the assessment adds one more layer of assurance that the information and analysis included in the report are accurate, understandable, and credible. It is highly advisable for organizations to include a peer review process for these types of assessments.
S
TEP
7: S
UBMIT
GISAM F
INAL
R
EPORT
The GISAM final report is the culmination of everyone’s effort and the only portion of the product that executive management and key stakeholders will see. In the second chapter in the “Reporting” section, a listing of suggested report elements was described and provided for consideration. Whatever the final report sections turn out to be, it is important that the reports are consistent and delivered in the same way to ensure consistency. The information included in the GISAM final report is highly sensitive and considered confidential by most. Therefore, it is critical that the reports are provided to only the appropriate parties and that any copies of them are protected by appropriate controls. Information and data in these reports could lead to devastating events for the organization if the noted vulnerabilities were exploited.
It is a good idea to hold a postreview meeting with all of the appropriate stakeholders and the information security assessment professional to discuss the key points and findings of the assessment. The information security assessment profes- sional is closest to the review and has the most comprehensive knowledge about the
AU7087_C003.fm Page 53 Thursday, April 27, 2006 3:31 PM
Layton, Timothy P.. Information Security : Design, Implementation, Measurement, and Compliance, Auerbach Publishers, Incorporated, 2006. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=267956. Created from apus on 2025-04-18 02:44:42.
C op
yr ig
ht ©
2 00
6. A
ue rb
ac h
P ub
lis he
rs , I
nc or
po ra
te d.
A ll
rig ht
s re
se rv
ed .
54
Information Security
identified risks. It is highly likely that management may want or need more infor- mation to help prioritize risk management activities. Readers of the GISAM report should have read through the report and taken notes on key topics requiring more information before the group meeting is scheduled and held.
S
TEP
8: R
EMEDIATION
At this point, the appropriate management personnel and key stakeholders should have a current copy of the GISAM report and have read through the entire report. After the postreview meeting, it is up to executive management and key stakeholders to address the findings and analysis of the GISAM report according to their risk management strategy. For obvious reasons, the information security assessment professional should not be included in the remediation or risk management process.
AU7087_C003.fm Page 54 Thursday, April 27, 2006 3:31 PM
Layton, Timothy P.. Information Security : Design, Implementation, Measurement, and Compliance, Auerbach Publishers, Incorporated, 2006. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=267956. Created from apus on 2025-04-18 02:44:42.
C op
yr ig
ht ©
2 00
6. A
ue rb
ac h
P ub
lis he
rs , I
nc or
po ra
te d.
A ll
rig ht
s re
se rv
ed .
- biology help?
- Crying of Lot 49
- Benjamin Moore Company
- Explain how Texas has reacted to the expanded role of the federal government?
- art history report due thursday
- ACC 548 Week 2 Learning Team Assignment Text Problem Sets
- FOR PHYLLIS YOUNG ONLY math
- "Unemployment and Inflation"
- for "nyanya" only
- FOR BABER MAKAYLA ONLY