Information Security Assessment Implementation Checklists
What should organization prepare before perform information security assessment process? NIST recommend the following things to be performed:
1. Establish an information security assessment policy.
This identifies the organization’s requirements for executing assessments, and provides accountability for the appropriate individuals to ensure assessments are conducted in accordance with these requirements. Topics that an assessment policy should address include the organizational requirements with which assessments must comply, roles and responsibilities, adherence to an established assessment methodology, assessment frequency, and documentation requirements.
2. Implement a repeatable and documented assessment methodology.
This provides consistency and structure to assessments, expedites the transition of new assessment staff, and addresses resource constraints associated with assessments. Using such a methodology enables organizations to maximize the value of assessments while minimizing possible risks introduced by certain technical assessment techniques. These risks can range from not gathering sufficient information on the organization’s security posture for fear of impacting system functionality to affecting the system or network availability by executing techniques without the proper safeguards in place. Processes that minimize risk caused by certain assessment techniques include using skilled assessors, developing comprehensive assessment plans, logging assessor activities, performing testing off-hours, and conducting tests on duplicates of production systems (e.g., development systems). Organizations need to determine the level of risk they are willing to accept for each assessment, and tailor their approaches accordingly.
3. Determine the objectives of each security assessment, and tailor the approach accordingly.
- In the context of existing and other planned developments, does the scope of this project look reasonable? Should it be extended/limited?
- Does the project take reasonable share of the current resources available? Resources include staff, financial budgets, machine time, etc.
- What is the opportunity cost of the proposed development?
- Are there political or other factors that override or diminish the cost/benefit view of the justification?
- Does the project or proposed system conform to company and/or management style?
- Are the statements regarding the existing system correct?
- Do the figures for volumes and running costs agree with known data?
- Is there a single major problem concerned with the existing system, which if dealt with individually would do away with the need for a new system?
- Are the users aware of existing systems problems, or is the impetus for change purely external?
- Is the proposed system volume dependent? If so, have expected volumes been clearly stated? Are peak volumes catered for?
- Have the users been fully involved in assessing system requirements?
- Have the users signified their acceptance of the suggested requirements (by participation in lower level Q-A procedures)?
- If any special tools or techniques were used to assess requirements or measure rates and volumes, for example by simulations, were they satisfactorily constructed and carried out?
- In suggesting system requirements, are there excessive or abnormal demands on:
- computer operations staff;
- data preparation or control staff;
- user department;
1. Increase revenue:
- Optimize demand fulfillment.
- Increase forecast accuracy.
- Improve inventory positioning.
- Improve manufacturing responsiveness.
- Optimize vehicle scheduling.
- Improve supply chain responsiveness.
2. Increase asset utilization:
- Rationalize the network.
- Rationalize equipment.
- Reduce finished goods inventories.
- Increase forecast accuracy.
- Reduce cash-to-cash cycle time.
- Optimize batch runs.
- Reduce raw/work-in-progress inventory levels.
Download Free Gramm Leach Bliley Act (GLBA) IT Security Examination Procedures Examination Procedures
Examination Objective: Determine whether the financial institution has established an adequate written Information Security Program and whether the program complies with the Guidelines Establishing Standards for Safeguarding Customer Information mandated by section 501(b) of the Gramm-Leach-Bliley Act of 1999.
Download Free IT Change Management Audit Templates
1. Identify strengths and weaknesses relating to development, acquisition, and maintenance activities, through a review of:
Prior reports of examination;
Internal and external audits;
Regulatory, audit, and security reports from key service providers;
Network topology maps; and
Résumés of technology managers.