Regular reviews and checking of the security of IT systems to ensure compliance of systems with organizational security policies, standards and procedures is essential. A regular review of IT Systems against a set industry standard or other accepted baselines and configuration guidelines provides an organization with a benchmark against which the organizations security may be compared to information security best practices. Internal audits helped to ensure that your organization is meeting its own targets and expectations.
A security review should be an overall security evaluation which examines;
- Your organization’s business requirements;
- How you currently provide for security within the organization,
- Industry’s best practices for providing those requirements.
The goal of a security review is to capture a snap shot of your organization’s security from not only a technical perspective but also from a policy and procedural one. Sometimes it may also include topics as diverse as physical security and Human resources matters.
Some common steps involved are;
1. Information Asset Identification to verify that the items covered in a risk assessment are adequate. This involves asking:
· what information assets exist,
· where they are located,
· who needs access to this information,
- Internal employees
- External Customers
- External Companies
· who must not have access to this information.
2. Information Sensitivity and Criticality Assessment to assess the levels of:
· sensitivity of the information:
o Classification of each information asset
o Identification of the consequences of the information falling into the wrong hands
· criticality of each of the organization’s information assets:
o During normal times
o During special periods (end of year, end of month, reporting periods etc)
o Identification of consequences of data being unavailable for:
o 8 hours,
o 24 hours,
o More than 24 hours.
3. Access Policy Review to determine what your organization’s security model should be permitting and what it should deny.
4. A Security Supporting Functions Review looks at those parts of your existing environment which passively enhance the security of your environment from a monitoring or procedural perspective. These can include:
- Intrusion Detection Systems
- User Activity Monitoring Systems
- System Integrity Testing Systems
From this it is possible to determine if the current environment has adequate controls covering the following areas:
o Patches and Upgrades
o Account Maintenance
o Backups and Recovery
· Change Management
· Intrusion Detection
o attack detection
o reporting, and
o User Activity Monitoring
o Correct detection of Inappropriate Use
· Correct investigation of incidents of Inappropriate Use
5. A review of an organization’s Security Enforcing Functions is designed to evaluate those parts of your environment that actively enforce security. These include:
- Filter routers
- Operating System Access Controls
- Application Server Configurations
- Digital Certificates and Encryption
The aim of this is to determine if existing Security Enforcing Functions within your organization:
1. Provide an adequate level of redundancy
2. Provide an adequate level of protection
3. Require modification in any way to provide more appropriate levels of protection or redundancy.