Information Security Risk Assessment
A knowledgeable Information Technology (IT) department is the first defense against cyberattack. How is your system organized? What technologies are used and for what purposes? What are the specific vulnerabilities of said technologies? By knowing yourself, you can better anticipate your enemies and their approaches.
DJPaA will assess that you have:
- An effective planning process that aligns IT and business objectives
- An ongoing risk assessment process that evaluates the environment and potential changes
- Technology implementation procedures that include appropriate controls.
- Measurement and monitoring efforts that effectively identify ways to manage risk exposure
Security Policy
Management is also vital to information security; DJPaA will verify that you've set a clear and concise security policy in line with business objectives through:
- Information security policy documentation
- Review of information security policy
Information Security Organization
We will assess organizational aspects of your security program through a review of:
- Management commitment
- Information security coordination
- Assignment of roles and responsibilities
- Authorization processes
- Communication strategies
Service Provider Oversight
Who will take the reins in the event of a security breach? Your service provider should support your organization's technology needs without impeding your ability to control what's yours. DJPaA will evaluate whether your service provider arrangements are both allowing you to function efficiently and properly manage risk. We will evaluate the following areas:
- Statement on Standards for Assessment Attestation Engagements (SSAE) 16 (formerly SAS·70) reviews
- Due diligence
- Control and security service level agreements
Asset Management
Who is responsible for what? We will assess the controls surrounding the protection of your assets. We will review documentation regarding:
- Responsibility for assets
- Information categorization
Personnel Security
We all want to trust our colleagues and peers, but nothing can be taken for granted when sensitive or valuable data is involved. Personnel should be empowered and given the clearances they need to perform their duties properly, but that trust must also be earned through the necessary credentialing. Because insiders often know their way around an institution's system and process better than outsiders, it is imperative to know who your authorized users truly are through:
- Background checks and screening
- Confidentiality, nondisclosure and authorized-use agreements
- Job descriptions
- Training
Physical Security
Where is your organization's information physically stored? Is it well-protected or accessible by anyone? We will assess your organization's ability to maintain the confidentiality, integrity, and availability of information, and evaluate the assurances provided by physical access controls. We will review:
- Data center security
- Cabinet and vault security
- Physical security
Communications and Operations Management
Are your organization's internal communications a closed circuit? We will assess the controls surrounding:
- Operational procedures
- Service delivery management
- System planning and acceptance
- Protection against malicious mobile code
- Backup and restore
- Network security management
- Media handling
- Exchange of information
- E-commerce service delivery
- Monitoring
Logical and Administrative Access Control
The administration should be able to make the calls as to who can and cannot access system resources. A logical and administrative access controls evaluation will review the following:
- Business requirements for access control
- User access management
- User responsibilities
- Network access controls
- Operating system access controls
- Application and information access controls
- Mobile computing and communications
Systems Development, Acquisition, and Maintenance
Get the good into your system, keep out the bad. Before developing, acquiring, or implementing new software, it is important to address potential vulnerabilities. This can be done by ensuring the following items are in order:
- Security requirements of information systems
- Correct processing in applications
- Cryptography
- Security of system files
- Security in development and support processes
- Technical vulnerability management
Incident Management
Security systems can be and should be tightened up to the fullest extent possible. However, no security system is completely failproof. When a breach does occur, your organization must be prepared to detect and react to the intrusion. Do you have an effective response program in place? The answer relies on your:
- Intrusion detection capabilities
- Intrusion response capabilities
- Incident handling procedures (including risk escalation and notification) Business Continuity
Turnover is a part of any organization, but names and faces changing can't be allowed to undermine the sanctity of its assets. A quality business continuity plan ensures there are no gaps in security when responsibilities change hands. Review of this plan is an integral part of the security process.
Compliance
The rules and regulations defined by law can be a lot to sort through, but neglecting to do so could have serious repercussions. Have DJPaA do the sorting for you, verifying all the controls are in place to protect against breach of the law, regulatory and contract obligations, or security requirements. Controls we will review include:
- Compliance with legal requirements
- Compliance with security policies, standards, and technical compliance
- Information systems audit
Testimonials