Information Technology Security Assessment

Information Technology Security Assessment

Information Technology Security Assessment (IT Security Assessment) is an explicit study to locate IT security vulnerabilities and risks.


In an assessment, the assessor should have the full cooperation of the organization being assessed. The organization grants access to its facilities, provides network access, outlines detailed information about the network, etc. All parties understand that the goal is to study security and identify improvements to secure the systems. An assessment is potentially the most useful of all security tests.


The following methodology outline is put forward as the effective means in conducting security assessment.
* Requirement Study and Situation Analysis
* Document Review
* Risk Identification
* Vulnerability Scan
* Data Analysis
* Report & Briefing

ample Report

Security Assessment Report should include the following information:
* Introduction/background information
* Executive and Management summary
* Assessment scope and objectives
* Assumptions and limitations
* Methods and assessment tools used
* Current environment or system description with network diagrams, if any
* Security requirements

* Summary of findings and recommendations
* The general control review result
* The vulnerability test results
* Risk assessment results including identified assets, threats, vulnerabilities, impact and likelihood assessment, and the risk results analysis
* Recommended safeguards

Criticisms and Shortcomings

IT security risk assessments like many risk assessments in IT, are not actually quantitative and do not represent risk in any actuarially-sound manner. Measuring risk quantitatively can have a significant impact on prioritizing risks and getting investment approval (Doug Hubbard "Hurdling Risk", CIO Magazine 1998).

Quantitative risk analysis has been applied to IT security in a major US government study in 2000. The [ Federal CIO Council] commission a study of the $100 million IT security investment for the Dept. of Veterans Affairs with results shown quantitatively. []

Professional Certifications

There are common vendor-neutral professional certifications for performing security assessment.
* BS7799 Lead Auditor - ISO/IEC 27001:2005 Auditor/Lead Auditor

External links

* [ ISC2]
* [ Informations Systems Audit and Control Association]
* [ EC-Council]
* [ SANS Institute]


Casas III, Victoriano. 2006. "An Information Security Risk Assessment Model for Public and University Administrators." Applied Research Project. Texas State University.

Wikimedia Foundation. 2010.

См. также в других словарях:

  • Information technology security audit — A computer security audit is a manual or systematic measurable technical assessment of a system or application. Manual assessments include interviewing staff, performing security vulnerability scans, reviewing application and operating system… …   Wikipedia

  • Information technology governance — Information Technology Governance, IT Governance or ICT (Information Communications Technology) Governance, is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management.… …   Wikipedia

  • Information technology audit process — Information technology audit process:Generally Accepted Auditing Standards (GAAS)In 1947, the American Institute of Certified Public Accountants (AICPA) adopted GAAS to establish standards for audits. The standards cover the following three… …   Wikipedia

  • Information technology controls — In business and accounting, Information technology controls (or IT controls) are specific activities performed by persons or systems designed to ensure that business objectives are met. They are a subset of an enterprise s internal control. IT… …   Wikipedia

  • Information Technology Infrastructure Library — The Information Technology Infrastructure Library (I), is a set of good practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. In its current form (known as ITILv3 and ITIL 2011 edition), ITIL… …   Wikipedia

  • Center for Information Technology — The Center for Information Technology (CIT) is an agency of the United States Federal Government. CIT, first established in 1964 as the Division of Computer Research and Technology (DCRT), provides the technological and computational support and… …   Wikipedia

  • School of Information Technology, Nanyang Polytechnic — The Nanyang Polytechnic School of Information Technology (NYP SIT) in Singapore is one of the founding schools since 1998 in Nanyang Polytechnic. The current director of the school is Mr John Tan. SIT utilizes an innovation oriented program to… …   Wikipedia

  • Symbiosis Centre for Information Technology — Infobox University name = SCIT at a Glance motto = A Premier IT Business School type = Affiliated to Symbiosis International University, Pune Director = Ms. Shaila Kagal city = Pune state = Maharashtra country = India established = 1999 campus =… …   Wikipedia

  • GTRI Information Technology & Telecommunications Laboratory — The Information Technology Telecommunications Laboratory (ITTL) is one of seven labs in the Georgia Tech Research Institute. It conducts a broad range of research in areas of computer science, information technology, communications, networking,… …   Wikipedia

  • University of the Philippines Information Technology Training Center — The University of the Philippines Information Technology Training Center or UP ITTC is a program of the University of the Philippines together with the Japan International Cooperation Agency or JICA. The UP ITTC strives to accomplish the… …   Wikipedia

Поделиться ссылкой на выделенное

Прямая ссылка:
Нажмите правой клавишей мыши и выберите «Копировать ссылку»