Information Security Assessment Implementation Checklists

  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.
  • : Function ereg() is deprecated in /home/priandoyo/smashingpasswords.com/includes/file.inc on line 649.

Information Security Assessment Implementation Checklists

What should organization prepare before perform information security assessment process? NIST recommend the following things to be performed:

1. Establish an information security assessment policy.
This identifies the organization’s requirements for executing assessments, and provides accountability for the appropriate individuals to ensure assessments are conducted in accordance with these requirements. Topics that an assessment policy should address include the organizational requirements with which assessments must comply, roles and responsibilities, adherence to an established assessment methodology, assessment frequency, and documentation requirements.

2. Implement a repeatable and documented assessment methodology.
This provides consistency and structure to assessments, expedites the transition of new assessment staff, and addresses resource constraints associated with assessments. Using such a methodology enables organizations to maximize the value of assessments while minimizing possible risks introduced by certain technical assessment techniques. These risks can range from not gathering sufficient information on the organization’s security posture for fear of impacting system functionality to affecting the system or network availability by executing techniques without the proper safeguards in place. Processes that minimize risk caused by certain assessment techniques include using skilled assessors, developing comprehensive assessment plans, logging assessor activities, performing testing off-hours, and conducting tests on duplicates of production systems (e.g., development systems). Organizations need to determine the level of risk they are willing to accept for each assessment, and tailor their approaches accordingly.

3. Determine the objectives of each security assessment, and tailor the approach accordingly.
Security assessments have specific objectives, acceptable levels of risk, and available resources. Because no individual technique provides a comprehensive picture of an organization’s security when executed alone, organizations should use a combination of techniques. This also helps organizations to limit risk and resource usage.

4. Analyze findings, and develop risk mitigation techniques to address weaknesses.
To ensure that security assessments provide their ultimate value, organizations should conduct root cause analysis upon completion of an assessment to enable the translation of findings into actionable mitigation techniques. These results may indicate that organizations should address not only technical weaknesses, but weaknesses in organizational processes and procedures as well.

Trackback URL for this post:

http://www.smashingpasswords.com/trackback/148

User login

Who's online

There are currently 0 users and 58 guests online.

Who's new

  • RobertoPaum
  • laruecroninbimq
  • Ashleysmam
  • soniastretchbhdhcg
  • georgelesouefyf