Upload
chidseymatt
View
1
Download
0
Embed Size (px)
DESCRIPTION
ossi
Citation preview
Information Systems Security Assessment Framework (ISSAF) Draft 0.1
44 AASSESSMENTSSESSMENT F FRAMEWORKRAMEWORKNote: This section is incomplete
Generally enterprises spend lots of money on best-of-breed security technology but they
ignore two very important elements to achieve end-to-end security: 1. People and 2.
Processes. Security is not a product, it is an ongoing process. In lack of good people
and well designed processes even the best technology not going to reduce risk. A
security organization must need all three supports to maintain balance and
effectiveness.
A security assessment framework is not complete without considering all three
components of end-to-end security: 1. People 2. Process and 3. Technology
After considering above mentioned three components, we are describing a complete
approach for security assessment on various domains:
© 2004, Balwant Rathore, Open Information Systems Security Group (© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org))Date: Date: 4/28/20234/28/2023 Page Page 22 of of 33
TechnologyTechnology TechnologyTechnology
PeoplePeople
Secure Secure EnterpriseEnterprise
Information Systems Security Assessment Framework (ISSAF) Draft 0.1
Information Systems Security Assessment Framework
© 2004, Balwant Rathore, Open Information Systems Security Group (© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org))Date: Date: 4/28/20234/28/2023 Page Page 33 of of 33
Controls AssessmentPhysical Security
Assessment Social EngineeringTechnical Controls Assessment
3
AB
C
Evaluation of Risk Assessment Methodology
Review of logging Monitoring & Auditing Processes
Security Awareness & Training
Outsourcing Security Concerns
Business Continuity Planning & Disaster Recovery Plan Review
Legal and Regulatory Compliance
2
4
5
6
7
8
Review of Information Security Policy & Organization 1