adam's notes

Security Audits and Assessments

  • Security policies ensure that an organization has:
    • evaluated the risks it faces
    • put security controls in place to mitigate those risks
  • Making a system more secure is also referred to as hardening

Risk Management

Posture Assessment

A security control is something designed to give a system or data asset the properties of confidentiality, integrity, availability, and non-repudiation.

  • can be expensive
    • must balance cost of controls with the cost of risk

The overall status of risk management is referred to as risk posture.

  • shows which risk response options can be identified and prioritized

Posture assessment is the audit process and tools for verifying compliance with a compliance framework or configuration baseline.

  • performed with reference to an IT or security framework
    • used to assess the organization’s maturity level in its use of security policies and controls

Cybersecurity audits are comprehensive reviews designed to ensure an organization’s security posture aligns with established standards and best practices.

  • types:
    • compliance audits
      • assess adherence to regulations
    • risk-based audits
      • identify potential threats and vulnerabilities in an organization’s systems and processes
    • technical audits
      • delve into the specifics of the organization’s IT infrastructure
        • examine network security, access controls, data protection

Process Assessment

Effective risk management must focus on mission essential functions that could cause the whole business to fail if they are not performed.

  • involves identifying critical systems and assets that support these functions

A mission essential function (MEF) is a business or organizational activity that is too critical to be deferred for anything more than a few hours, if at all.

  • if any service disruption, these must be restored first

Business impact assessment (BIA) is the process of assessing what losses might occur for a range of threat scenarios.

  • e.g., DoS attack suspends an e-commerce portal for five hours
    • BIA will be able to quantify
      • the losses from orders not made
      • customers moving to other suppliers based on historic data
    • likelihood of DoS attack can be assessed on an annualized basis to determine impact in terms of cost
    • thus have information required to assess whether a security control is worth it

Graph View

Backlinks