IT Security Assessment
Information Security & Operations Scorecard
Developing an effective IT & Cyber Security strategy that mitigates business risks within the available budget is challenging. A comprehensive IT security assessment can help organizations road map necessary activities to attain an appropriate IT & Cyber Security state.
Security risks are constantly evolving and changing. Organizations are compromised for distraction and profit. Exploits use the weakest link in the security profile of an organization – no organization is immune.
Delivering an optimized IT & Cyber Security posture requires a combination of design, technology, training, and operational practices to be put in place. This holistic approach needs to be aligned to effectively mitigate the relevant risks to an organization. The key is to balance between cost optimization of security technology and operations with business risks.
Data Perceptions has developed our industry leading security posture assessment called the IT Security & Operations Scorecard. The Scorecard leads your key information security stakeholders through a security & operations assessment process to help identify the current and target state of security operations.
To validate the initial assessments, we review:
-
network & systems configurations, availability, and integrity;
-
security operations policies, procedures, and practices;
-
external and internal vulnerability assessment (EVA/IVA) of the network and systems;
-
email impersonation / control / spam email assessment; and
-
simulated phishing (social engineering) assessment.
Based on Data Perceptions’ decades of security experience, industry current practices, and Scorecard findings, an overall security posture assessment and prioritized mitigation roadmap for improved IT security and operations is developed.
Information Security & Operations Scorecard
(Security Assessment)
Data Perceptions has developed a formal approach to helping organizations develop a roadmap for their risk mitigation efforts.
Data Perceptions uses our industry-leading IT Security and Operations Scorecard to aid in the development of a security risk assessment profile. The Scorecard was developed based on "the 20+ years of experience of each of our team members" dealing with security breaches and implementing preventive measures. The scorecard was designed to align with the ISO 27001/2, an internationally accepted framework for IT controls. Other frameworks such as NIST 800-53, NIST 800-171, PCI DSS, COBIT, GDPR, PIPEDA, HIPAA, CMMC, or the Canadian Baseline Cyber Security Controls (CBCSC) can also be used.
The Scorecard provides a structured approach to evaluating and identifying the:
-
Risk tolerance level of an organization;
-
Acceptable risks; and
-
Priorities of risk mitigations.
​Risk tolerance is typically a balance of potential damage, risk probability and relative priority, user inconvenience, data confidentiality and sensitivity, and mitigation cost. An organization must be able to understand its risk acceptance threshold. The scorecard helps to identify a risk acceptance level for each activity and documents the corresponding appropriate mitigation activities.
​
Initial discussions outline information security risk concerns in three common categories:
​
-
Major Revenue Stream;
-
Intellectual Property; and
-
Brand & Reputation.
-
Information security policies
-
Management responsibility for defining and supporting the IT information system security policies and procedures.
-
-
Organization of information security
-
Define the roles and responsibilities for aspects of Information Systems security.
-
Security controls for mobile devices and remote/virtual computing
-
-
Human resource security
-
Security controls prior to employment, during employment, changes of responsibility and terminations.
-
Allocation and return of corporate assets and ongoing organization security education.
-
-
Asset management
-
Inventory and classify information assets and define asset responsibility.
-
Define controls for managing and controlling storage media
-
-
Access control
-
Business requirements for access control, management of user access. User responsibility towards access security. Application access control.
-
-
Cryptography
-
Control of encryption use. Management of cryptographic and security keys, digital signatures.
-
-
Physical and environmental security
-
Control physical access to secure areas, protection from unauthorized access, fires, floods, etc.
-
Equipment security and protection, monitoring capability. Equipment reuse, clear desk policy
-
-
Operations management
-
Operational procedures, malware protection, backups and data retention, patch management, logging and monitoring, software management
-
-
Communications security
-
Network segmentation and security, policies and procedures with regards to information transfer, mail, third party services.
-
-
System acquisition, development and maintenance
-
Security controls for application systems, security with development and support, and security of test data.
-
-
Supplier relationships
-
Maintaining and availability of contracts and support agreements. Security requirements and controls for third party suppliers.
-
-
Information security incident management
-
Policies and procedures for reporting, assessing, and responding to security incidents
-
-
Information security aspects of business continuity management
-
Information security continuity planning. Inform system redundancies to satisfy the organizations requirements.
-
-
Compliance
-
Legal and contractual requirements, Information systems security reviews and or audits
-
​
Other frameworks such as ITIL and COBIT have been considered and incorporated into the Scorecard.
​
The scorecard uses the CMMI (Capability Maturity Model Integration) maturity model to add another measurement dimension to the framework controls. The scale is used to measure the effectiveness and maturity of the management and application of security controls. Maturity levels are rated from 0 to 5 to help determine how an organization compares to others for specific controls. For each topic the following is assessed:
​The CMMI scales ranges from 0, where processes do not exist to a 5 with a well-documented continuous improvement process. Most organizations strive for the 3-4 range depending on the industry segment.
-
Security maturity level and acceptable risk;
-
Target maturity level applicable for each control; and
-
current priority for the organization.
The Scorecard delivers recommendations to assist organizations in making key risk mitigation decisions.
Outcomes of the Scorecard include:
​
-
a Security Posture Assessment Score based on current and target operations maturity using CMMI Rating Scale;
-
Prioritized security remediation action items based on capacity, budget constraints, and risk priority;
-
a Security Ecosystem Map which highlights prioritized security remediation action items;
-
a Security Remediation Action Item Roadmap for an 18-24 month time-frame;
-
an Executive Summary and Recommendations; and
-
a Vulnerability Assessment Report which includes
-
an Executive Summary and Detailed Assessment Results
-
a Technical Vulnerability Assessment and
-
a Social Engineering (phishing) Vulnerability Assessment
-
Following are sample excerpts from the Information Security Scorecard.
Each Question is scored on a scale developed by Data Perceptions.Â
Each activity generates a mitigation score.
Data Perceptions provides custom reports, this sample report shows the mitigation activity report by organizational priority along with the mitigation tasks.
Vulnerability Assessments
Data Perceptions uses vulnerability scans where appropriate to identify potential risks.
Vulnerability scans are scored on a scale of 1 - 5 with a score of 5 being the most urgent requiring immediate actions.Â
Data Perceptions uses a third party for Vulnerability Assessment scans. They use a combination of industry leading tools for the scans. There are two types of scans typically used:
1. External Vulnerability Assessment
2. Internal Vulnerability Assessment
External Vulnerability Assessment (EVA) scans your external internet-facing IP addresses for thousands of known vulnerabilities and provides easy-to-interpret reports that pinpoint your most vulnerable IPs from a ranked list. An overall rating of your security level is provided, along with a prioritized list of the vulnerabilities discovered.
Internal Vulnerability Assessment (IVA) is a powerful internal assessment of your security exposures that maps your network infrastructure from the inside and checks for known security weaknesses. IVA identifies physical and virtual devices and where appropriate tests each one for tens of thousands of known vulnerabilities.
Internal vulnerabilities are those weaknesses that could be exploited by a malicious employee, a contractor, or an attacker that has gained access to your internal network.