June 02, 2011, 11:12 AM — A security assessment is a request to analyze the risk of an IT solution. The request is initiated by a CISO (Chief Security Officer) or ISO (Information Security Officer) within a corporation. It is used to make sure that security concerns are met before changes are made to the information technology infrastructure. There are foundation plans which evaluate the state of new applications or infrastructure. Or there are incremental plans that address changes to the foundation plan.
What are the components of a risk assessment?
The following components are critical: an environmental characterization questionnaire, a change summary, reference plans, the Threat Vulnerability Matrix (TVM), scope, and risk summary. In my current work, the risk assessment is created in a web portal where a series of web pages and a database create the assessment. The risk assessor interviews application and/or infrastructure owners about the changes in a discovery call, follow-up meetings, and emails. The main results are a change summary narrative of the application or infrastructure, discovered risks, and a risk summary.
The risk summary comes from two sets of risks. The first set is non-inherited risks; they are discovered in the discovery and follow on calls/emails along with risks already in the foundation plan along with it various incremental changes. The second set of risks, inherited risks, comes from technologies that are referenced in the change summary. For example: if an application uses Active Directory to authenticate users of an application, it is to be referenced as a reference plan. That application would then inherit risks associated with Active Directory.
Where will an assessor spend most of their time?