Information Systems Security Assessment Framework (ISSAF) Draft 0.1

44 AASSESSMENTSSESSMENT F FRAMEWORKRAMEWORKNote: This section is incomplete

Generally enterprises spend lots of money on best-of-breed security technology but they

ignore two very important elements to achieve end-to-end security: 1. People and 2.

Processes. Security is not a product, it is an ongoing process. In lack of good people

and well designed processes even the best technology not going to reduce risk. A

security organization must need all three supports to maintain balance and

effectiveness.

A security assessment framework is not complete without considering all three

components of end-to-end security: 1. People 2. Process and 3. Technology

After considering above mentioned three components, we are describing a complete

approach for security assessment on various domains:

© 2004, Balwant Rathore, Open Information Systems Security Group (© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org))Date: Date: 4/28/20234/28/2023 Page Page 22 of of 33

TechnologyTechnology TechnologyTechnology

PeoplePeople

Secure Secure EnterpriseEnterprise

Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Information Systems Security Assessment Framework

© 2004, Balwant Rathore, Open Information Systems Security Group (© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org))Date: Date: 4/28/20234/28/2023 Page Page 33 of of 33

Controls AssessmentPhysical Security

Assessment Social EngineeringTechnical Controls Assessment

3

AB

C

Evaluation of Risk Assessment Methodology

Review of logging Monitoring & Auditing Processes

Security Awareness & Training

Outsourcing Security Concerns

Business Continuity Planning & Disaster Recovery Plan Review

Legal and Regulatory Compliance

2

4

5

6

7

8

Review of Information Security Policy & Organization 1