Business Security Consultants

Business Security Consultants, Inc.

Securing the Future of Your Business

Information Systems Security Assessment

Business Continuity Plans

White Papers

Information Systems Security - Terminology

Compliance: PCI & HIPPA

Webinars

Home

Information Systems Security

Information Systems Security Assessment

Our assessment tools are designed to identify and address security risks in your environment. The tools employ a holistic approach to measuring your security posture by covering topics across people, process, and technology.

They are made up of over 240 questions where the findings are coupled with prescriptive guidance and recommended mitigation efforts, including links to more information for additional industry guidance as needed. These resources may assist you in learning more about the specific tools and methods that can help change the security posture of your IT environment.

The following table lists the areas that are included in the security risk assessment:

Infrastructure	Importance to security
Perimeter Defense	Perimeter defense addresses security at network borders, where your internal network connects to the outside world. This constitutes your first line of defense against intruders.
Authentication	Rigorous authentication procedures for users, administrators, and remote users help prevent outsiders from gaining unauthorized access to the network through the use of local or remote attacks.
Management & Monitoring	Management, monitoring, and proper logging are critical to maintaining and analyzing IT environments. These tools are even more important after an attack has occurred and incident analysis is required.
Workstations	The security of individual workstations is a critical factor in the defense of any environment, especially when remote access is allowed. Workstations should have safeguards in place to resist common attacks.
Applications	Importance to security
Deployment & Use	When business-critical applications are deployed in production, the security and availability of those applications and hosting servers must be protected. Continued maintenance is essential to help ensure that security bugs are patched and that new vulnerabilities are not introduced into the environment.
Application Design	Design that does not properly address security mechanisms such as authentication, authorization, and data validation can allow attackers to exploit security vulnerabilities and thereby gain access to sensitive information.
Data Storage & Communications	Integrity and confidentiality of data is one of the greatest concerns for any business. Data loss or theft can negatively impact organization revenue as well as its reputation. It is important to understand how applications handle business critical data and how that data is protected.
Operations	Importance to security
Environment	The security of an organization is dependent on the operational procedures, processes and guidelines that are applied to the environment. They enhance the security of an organization by including more than just technology defenses. Accurate environment documentation and guidelines are critical to the operation team's ability to govern, support and maintain the security of the environment.
Security Policy	Corporate security policy refers to the collection of individual policies and guidelines that exist to govern the secure and appropriate use of technology and processes within the organization. This area covers policies to address all types of security, such as user, system, and data.
Backup & Recovery	Data backup and recovery is essential to maintaining business continuity in the event of a disaster or hardware/software failure. Lack of appropriate backup and recovery procedures could lead to significant loss of data and productivity. Company reputation and brand could be at risk.
Patch & Update Management	Good management of patches and updates is important in helping secure an organization's IT environment. The timely application of patches and updates is necessary to help protect against known and exploitable vulnerabilities.
People	Importance to security
Requirements and Assessments	Security requirements should be understood by all decision-makers so that both their technical and their business decisions enhance security rather than conflict with it. Regular assessments by a third party can help a company review, evaluate, and identify areas for improvement.
Policies and Procedures	Clear, practical procedures for managing relationships with vendors and partners can help protect the company from exposure to risk. Procedures covering employee hiring and termination can help protect the company from unscrupulous or disgruntled employees.
Training and Awareness	Employees should be trained and made aware of security policies and how security applies to their daily job activities so that they do not inadvertently expose the company to greater risks.

Assessment Process and Scope
	The assessment is designed to identify the business risk of your organization and the security measures deployed to mitigate risk. Focusing on common issues, the questions have been developed to provide a high-level security risk assessment of the technology, processes, and people that support your business.

	Beginning with a series of questions about your business model, the tool builds a Business Risk Profile (BRP), measuring your risk of doing business due to the industry and business model defined by BRP. A second series of questions are posed to compile a listing of the security measures your company has deployed over time. Together, these security measures form layers of defense, providing greater protection against security risk and specific vulnerabilities. Each layer contributes to a combined strategy for defense-in-depth. This sum is referred to as the Defense-in-Depth Index (DiDI). The BRP and DiDI are then compared to measure risk distribution across the areas of analysis (AoAs)—infrastructure, applications, operations, and people.