Assessing Information Security

Assessing Information Security: Strategies, Tactics, Logic and Framework

A VLADIMIROV
K GAVRILENKO
A MICHAJLOWSKI
Copyright Date: 2010
Published by: IT Governance Publishing
Pages: 405
https://www.jstor.org/stable/j.ctt5hh6v9
  • Cite this Item
  • Book Info
    Assessing Information Security
    Book Description:

    Assessing Information Security deals with the philosophy, strategy and tactics of soliciting, managing and conducting information security audits of all flavours. It will give you the founding principles around information security assessments and why they are important. The book provides a fluid framework for developing an astute 'information security mind' capable of rapid adaptation to evolving technologies, markets, regulations, laws, and so on.

    eISBN: 978-1-84928-036-5
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 2-5)
  2. PREFACE
    (pp. 6-7)
  3. ABOUT THE AUTHORS
    (pp. 8-10)
  4. Table of Contents
    (pp. 11-12)
  5. INTRODUCTION
    (pp. 13-26)

    A thorough treatise dedicated to various aspects of information security auditing must cover why and what kind of assessments have to be performed, subject to a particular situation. It is expected to elaborate by whom, when, how, and in which specific sequence, they should be executed. It ought to address how to present the audit results in the most palatable manner and which corrective actions these findings might trigger. However, all we have just listed are mere technicalities. If you concentrate on them too much, without applying a sufficient level of abstraction, you are risking missing something of a much...

  6. CHAPTER 1: INFORMATION SECURITY AUDITING AND STRATEGY
    (pp. 27-67)

    Rephrasing Clausewitz, to produce a workable scheme for information security assessments, is one of the tasks that are inherently simple, yet the simplest thing is difficult to implement. It is simple because the underlining logic is clear. It can be formulated in a minute. Here it comes from the (independent) auditor’s viewpoint:

    Find out about goals and conditions of the assessment.

    Plan the appropriate actions.

    Select the corresponding methodologies and tools.

    Check and test everything you can within the limits of budget, requirements, time and means.

    Pull the results together.

    Measure and analyse risks.

    Consider realistic remedies.

    Generate an impressive...

  7. CHAPTER 2: SECURITY AUDITING, GOVERNANCE, POLICIES AND COMPLIANCE
    (pp. 68-112)

    In the previous chapter, we emphasised that the most dangerous flaws, are the flaws of security strategy. We have also discussed a few examples of such flaws. Strategic failures generate chain reactions of secondary and collateral shortcomings, many of which eventually become exploitable vulnerabilities – technical, operational and human. This is common sense that applies to numerous fields of expertise:

    When your strategy is deep and far reaching, then what you gain by your calculations is much, so you can win before you even fight. When your strategic thinking is shallow and near-sighted, then what you gain by your calculations is...

  8. CHAPTER 3: SECURITY ASSESSMENTS CLASSIFICATION
    (pp. 113-160)

    In theory, everything must be thoroughly assessed and verified to eliminate all kinds of security vulnerabilities and gaps. In the real world, however, there are limitations imposed by both budget and time. Because of these restrictions, the most critical areas must be identified to be audited first. Or, unfortunately, to be the only areas where information security state is going to be assessed for the foreseeable future. Making a correct, well-informed decision concerning the needed information security audits scope, priorities, spectrum and characteristics can be an intricate task. We shall thoroughly address it in the next chapter of this book....

  9. CHAPTER 4: ADVANCED PRE-ASSESSMENT PLANNING
    (pp. 161-198)

    Planning is vital. Planning is vision, direction and structure incarnate. However, in the rapidly changing sphere of information security, it has to be done with utmost care. Plans must always make allowance for the turn of the tide and our inevitable companion ‘friction’. If they fail so, plans will become rigid. From a strategic advantage they will turn into an obstacle of equally grand proportions. There are situations in which having inadequate plans is worse than having no plans at all. At least, in the latter case there are still some possibilities of swift adaptation. Enforcement of stagnant plans will...

  10. CHAPTER 5: SECURITY AUDIT STRATEGIES AND TACTICS
    (pp. 199-261)

    The previous chapters put heavy emphasis on governance, management and policy issues in relation to assessing information security. They are also heavily centred on the issues of strategic significance. It is time to pull up the sleeves and dive into the realm of tactics. Inevitably, this means that the upcoming discourse will have to be more technically inclined. However, as stated in this book’s preface, providing detailed checklists or hands-on testing manuals is not the intended goal. We are not competing with, for example, OSSTMM (Open Source Security Testing Methodology Manual), not to mention more specific in-depth guides like OWASP...

  11. CHAPTER 6: SYNTHETIC EVALUATION OF RISKS
    (pp. 262-308)

    Discovering and evaluating vulnerabilities and gaps without the thorough analysis of risks they introduce, is as good as doing recon without using its results. In fact, for the risk analysis phase, all previous security audit stages are nothing more than the necessary reconnaissance. One of the fundamental principles of Chapter 1 states that ‘information security assessment always operates with probabilities’. Gauging these probabilities is a fine science and art that has to be fully mastered by at least a single member of the auditing team. It is absolutely essential for success of both the assessment and its follow-up acts. For...

  12. CHAPTER 7: PRESENTING THE OUTCOME AND FOLLOW-UP ACTS
    (pp. 309-360)

    As emphasised in the closing part of the previous chapter, properly presenting information security assessment results is essential for the overall success. Which tangible outcome does the company or organisation expect from the security audit performed? First of all, it is the assessment report. Besides, the accompanying presentations and debriefs are likely to be requested. In addition, assistance from the auditors can be called for during the assessment follow-up. After all, the ones who have offered the remedial advice are expected to be the experts in all the suggested remedies. There is no point in recommending a solution you are...

  13. CHAPTER 8: REVIEWING SECURITY ASSESSMENT FAILURES AND AUDITOR MANAGEMENT STRATEGIES
    (pp. 361-395)

    Even if you studied and comprehended everything said in this and other relevant sources on information security auditing, everything can still go blatantly wrong. There are always some inevitable influences of chance, human error, technical fault and environmental pressures. Because of the latter, quite often both the auditee and the auditors have to make important decisions on the basis of insufficient information and in a very limited timeframe. This might lead to a variety of shortcomings on both sides, which can easily amplify their net negative effects when synchronised. As a result, a security audit or, even worse, successive series...

  14. BIBLIOGRAPHY
    (pp. 396-402)
  15. ITG RESOURCES
    (pp. 403-405)