Professional Documents
Culture Documents
Doing an ISA renders an organization proactive and strong by keeping information secure. It
safeguards the organization against hacks.
Establishing a process for security audits reduces reactivity, saves time, and reduces labor costs.
And an ISA can help meet legal and regulatory requirements for sensitive data.
correctly,
completely,
and iteratively.
It helps improve systems over time, manage knowledge, and save time that can be lost
reinventing unsystematized work.
Who should be involved?
Designated auditors -- the "auditing team" -- are staff with technical knowledge of the
organization’s business processes and IT assets.
The auditing team should include people from various departments and pay levels.
Phase 1: Identify
This Zone Map will be used later in your risk assessment. It will allow allocation of resources —
financial, human, and physical — to where they are needed.
List dependencies
For example,
Assessing servers might require the presence of people who have security access.
Assessing remote data centers depends on ability of staff to travel.
Assessing staff computers might depend on employee work schedules and loads for a
particular time.
IT
Management
The business office
Any others involved in planning
For each security zone defined in your Zone Map (Phase 1),
answer the questions in the checklist below.
Use the Risk Assessment Checklist (attached below) to write out your answers. This list of
answers will be made into a report later.
Be careful not to assume you know where all the risks lie. Involve all relevant personnel, not just
IT, in this decision. Include staff from various departments and levels.
As you address each item, note how long it takes to arrive at a complete answer.
This will give a good estimate of time needed to complete a full risk assessment.
Risk-Assessment Checklist
How are external network connections, including our Internet connection, configured and
protected?
2. In column 2, rank each in consequence (i.e., level of importance to the company) from 1
to 5, with 1 bearing the highest consequence.
3. In column 3, list the likelihood of occurrence (probability), with 1 bearing the highest
probability.
Note: When assessing probability, consider that it increases with number of users.
This data will quantify potential lost revenue in the event of exploitation of each vulnerability.
cxp=r
Qualify.
Qualify the potential damage by estimating harm to reputation or some other intangible aspect.
Phase 4: Document.
Introduction