This document provides an overview of conducting a security assessment. It discusses the importance of baselines and risk assessments to establish a starting point for measuring security. It outlines key areas to assess including security organization, policies, risk management programs, and technical controls. The document provides a detailed workplan and guidelines for assessing management controls, operations, applications, databases, networks, remote access, and emergency response. The goal is to identify strengths, weaknesses, and risks to help prioritize security improvements.

1. Security Baselines and Risk
Assessments

2. Baseline
• When a new system is implemented, a
preliminary assessment called a security
baseline needs to be performed.
• A baseline provides a starting point to
measure changes in configurations and
improvements to the system.

3. Risk assessments
• Risk assessments educate the administrators
about their systems.
• Assessments are a mechanism to identify the
strengths and implemented controls of a
system, not just the weaknesses and risks.

4. INFORMATION SECURITY
ASSESSMENT: A PHASED APPROACH
• Areas of increased risk within an organization:
– Operating environment
– Security organization
– Security planning, administration, and
management
– Information security policies, standards, and
procedures
– Information security risk assessment
– Information classification and control

5. Requirements
• Organization chart
• Security policies, standards, and procedures
documentation
• Network diagrams
• List of applications
• List of network management tools
• List of security assessment tools
• Asset inventory
• List of databases
• Reports from previous assessments and audits

6. Information Security Assessment
Workplan
• Section I:
– Provides an overview concentrating on the
management of specific programs developed as a part
of the ISA and the allocation of security
responsibilities.
• Section II:
– Security monitoring
– Computer virus controls
– Microcomputer security
– Compliance with legal and regulatory requirements

7. • Section III, Computer Operations, includes:
– Physical and environmental security
– Computer systems management
– Backup and recovery
– Problem management
• Section IV reviews those areas related to
applications: access controls, application
development and implementation, and
change management.

8. HIGH-LEVEL SECURITY ASSESSMENT
(SECTION I)
• Assessing the Organization of the Security
Function
– An assessment of the security organization should
document the number of individuals performing
security functions, including full-time security
positions as well as individuals that dedicate only
a portion of their time to security.
– To whom these positions report.

9. • Assessing the Security Plan
– The Information Security Plan should be
documented and describe support for the goals
and objectives of the Strategic Information
Technology Plan.
– Determine who is responsible for its development,
review, approval, and implementation.
– Responsibility for, as well as target completion
dates, should be defined for each project,
initiative, or strategy defined in the Plan.

10. • Assessing Security Policies, Standards, and
Procedures
– Determine how policies, standards, and
procedures are developed, reviewed, approved,
and modified and who is responsible for each step
of this process.
• Assessing Risk-Related Programs
– Programs for risk assessment include classification
methodologies, business impact analysis (BIA),
incident and emergency reporting and response,
disaster recovery planning (DRP), business
continuity planning (BCP), and incident
monitoring, investigation, and remediation.

11. – Determine who is responsible for each of these
programs
• Assessment Document Checklist
– Organization chart
– IT strategic plan
– Information security plan
– Security charter or mission statement
– Security policies, standards, and procedures
– Policy acknowledgment forms
– Confidentiality agreements/statements

12. • Network diagrams
• Maintenance and service contracts with third-party
service providers
• Application inventory
• Hardware asset inventory
• Network management tools inventory
• Security assessment tools inventory
• Database inventory
• Classification methodology
• Audit programs
• Compliance checklists
• Security assessment reports
• Resource ownership matrix

13. SECURITY OPERATIONS (SECTION II)
• Security Monitoring
– Security monitoring includes those processes in place
to identify and investigate suspected access violations
and attempted system intrusions.
– For Ex.
• Daily review of remote access log-ins to identify failed access
attempts
• Review of system access logs for access to systems during
non-work hours
• Review of traffic on external gateways
• Review of access to application system utilities and
privileged user activities
• Review of access to sensitive files or data

14. – Procedures are necessary for reporting and
responding to suspected violations.
• Computer Virus Controls
– Effective computer virus controls are an absolute
necessity.

15. For anti-virus security assessments, it
is necessary to ensure that procedures
exist to:
• Download current definitions from the appropriate sources
on a timely basis
• Test virus software before distribution
• Distribute and upload current definitions to all platforms
(servers, mail servers, firewalls, and workstations)
• Validate that distribution of software and definition files is
effective
• Ensure compliance with all anti-virus software procedures
• Assess the communications mechanism between
administrators and users on potential viruses and the
reporting of suspected viruses

16. • Microcomputer Security:
– Monitoring licenses registered versus licenses
used
– Inventorying PC software
– Defining and distributing approved software lists
– Developing software usage policies

17. COMPLIANCE WITH LEGAL AND
REGULATORY REQUIREMENTS
• A security review of these areas should be
conducted to ensure:
– Guidelines on the retention, storage, and handling
of regulated information
– Appropriate protection of classified data
– Compliance with regulatory requirements
– Compliance with legislation protecting
information

18. COMPUTER OPERATIONS (SECTION III)
• Computer operations personnel are
responsible for the physical security of the
central processing facility, ensuring the proper
execution of programs, maintaining system
and critical data backups, responding to and
resolving execution errors, and providing
assistance in the recovery of systems,
programs, and information.

19. Physical and Environmental Security
• Cypher or key pad locks
• Fencing
• Guards
• Monitoring devices
• Maintaining authorized personnel access lists
• Limiting access to only essential operations
personnel
• Maintaining sign-in logs
• Badges

20. Environmental controls include
• Backup power (uninterruptible power systems [UPS])
• Air conditioning
• Fire suppression devices (fire extinguishers, halon,
other)
• Fire detection devices (sensors)
• Heat detection devices
• Business continuity plans (BCPs)
• Alternative processing facilities
• Disaster recovery plans (DRPs)
• System and data backups

21. Backup and Recovery
• Removing backups from the facility creates a
requirement for ensuring that those critical
backups are not subject to unauthorized
access by vendors or outside personnel.
Review who, when, and how third-party
vendors obtain, transport, and store those
critical business system backup tapes.

22. • Internal tape management as well as by third-
party vendors is also very important.
• As a part of physical security, backup
processing locations are important.
• Recovery plans should be tested annually.

23. Computer Systems Management
• Computer systems management includes the
daily execution and maintenance of systems,
applications, and information.
• Maintain a log that details the execution,
completion, and issues identified during the shift.
• This log should be reviewed by management and
jointly reviewed by both the outgoing shift
personnel and incoming shift personnel so that
continuity and efficiency are maintained.

24. • Computer operations personnel should be
restricted from read, write, and delete access
of computer programs.
• Change logs: documentation of changes,
validation of changes, and follow-up testing.

25. Problem Management
• A problem management process needs to be
in place to report, track, and resolve problems
incurred in computer operations, as well as in
dealing with security-related issues.
• Reduction of failures to an acceptable level
• Prevention of the reoccurrence of problems
• Reduction of the impact on service

26. Problem resolution should include:
• Providing a centralized point of contact for problems
• Logging problem calls
• Resolution of problems quickly and efficiently
• Transferring unresolved problems to more technically qualified
personnel
• Tracking and managing difficult problems
• Identifying recurring problems, analyzing root causes, and providing
permanent resolution
• Improving communication and training to end users
• Reporting the status of issues to management, users, and
departments impacted
• Evaluating vendor performance and service-level contracts based
on the level of support provided in resolving issues

27. APPLICATION CONTROLS
ASSESSMENTS
• Security control assessments related to
applications primarily focus on the
appropriate access of
– users,
– administrators, and
– programmers to application data and
functionality, system files, program modules, and
hardware resources.

28. Access Controls
• Data owners approve access based on job
requirements and functionality.
• Role-based access is the most logical method for
setting up access to an application.
• Role-based access is determined by an
employee’s job function — not by who the
employee is as a person.
• Access control lists (ACLs)
• Application access is typically controlled by
menus that restrict user access to certain
functionalities of the application.

29. Separation (or Segregation) of Duties
• Separation of duties ensures that no single
employee has control of a transaction from
beginning to end.
• Separation of duties guards against
manipulating a transaction for personal gain.

30. Audit Trails
• Audit logs are a record of system activities
that provide the capability to reconstruct the
sequence of events related to a transaction.
• Audit logs can be used to determine errors in
system processing as well as misuse of the
system.
• Violation reports that log security-related
events, such as unsuccessful access attempts,
should be monitored daily.

31. • It is necessary to test that users cannot break
out of the menu and obtain the system
prompt.
• Application system utilities are sensitive
because they bypass application access
controls and allow direct access to production
code and data.
• These utilities should be protected by
passwords and should not be accessible from
the application.

32. Authentication
• Authentication as it relates to application
access is defined as the reconciliation of
evidence of user identity.
• The use of a password for authenticating a
user is the most common method and is
known as simple authentication.

33. There are three ways a user can
identify himself to an application or
system:
• Presenting something that only the user
knows.
• Presenting something that only the user has.
• Presenting something that the user is.

34. • Passwords are something that a user knows.
• It is the least secure method of authentication
because a password can be stolen and used by
someone else.
Presenting something that only the
user knows.

35. Something the user has
• Secure token.
• An example of secure tokens are credit card-
size hardware that produce a one-time
password only valid and usable for a small
window of time, such as one minute.

36. Something that the user is
• Passwords and tokens can be stolen.
• Fingerprints and retinas are unique to every
person and they represent who the person is.

37. Using combinations of methods
increases the strength of the
authentication.
• something you know + something you have = two-factor
authentication
• something you know + something you are = two-factor
authentication
• something you have + something you are = two-factor
authentication
• something you know + something you know = two-factor
authentication
• something you have + something you have = two-factor
authentication
• something you are + something you are = two-factor
authentication

38. Password parameters include:
• Application lockout after so many failed
attempts to log on (e.g., three failed attempts)
• Minimum password length (e.g., eight
characters)
• Specified password structure
• Password change frequency (e.g., every 30
days)

39. • Passwords must be unique
• Passwords must be encrypted
• Maintain encrypted password files
• Maintain password history (e.g., last ten
passwords cannot be reused)
• Establish password cycle time
• Non-displayed fields
• Validation of password before passwords can
be changed
• Limitations on sharing passwords

40. Application Development and
Implementation
• A formal program for application development
and implementation is necessary to ensure
that appropriate controls are built into the
application to provide authentication,
authorization, and integrity.

41. The application development and
implementation program should ensure:
• Appropriate access to source libraries
• The ability to audit access to source libraries
• Integrity checks for the input of data to detect
out-of-range values, invalid characters in data
fields, incomplete data, upper and lower data
volume limits, two character data ranges, and
inconsistent control data
• Session or batch controls to reconcile file
balances after transaction updates

42. • Balance controls to validate opening balances
with previously closed balances, including run-to-
run totals, file update totals, program-to-program
totals, and hash totals on records and files
• Management authorization for the initiation of
application acquisition, development, and
maintenance
• Change requests documents that record the
reason for the amendment, date of amendment,
and appropriate approvals
• Separate test and production environments
• Documented acceptance criteria for test plans

43. • New programs and program changes are
formally approved during appropriate phases
of the development process and prior to
implementation
• Formal sign-off and acceptance procedures
• Cut-over procedures to move applications
from the test to the production environment
• Programmers are prevented from updating
production programs
• Programmers are restricted from adding
programs to the production libraries

44. • Segregation of duties in programming and
execution of programs
• System documentation and user
documentation is updated to reflect all
program and operations changes
• Emergency maintenance and temporary fixes
to application and system software are
covered by the same procedures applied to
normal maintenance
• Backup versions of software are maintained
prior to making any changes to the code

45. Change Management
• Change management refers to changes in program
code, operating system configurations, or network
architectures.
• An effective change management program uses an
application or tool to register changes.
• This tool should record the change requestor’s name,
details of the request, business justification, approvers,
estimated time to perform or implement the change,
individuals responsible for modifications, individuals
affected by the change, testing requirements,
requestor’s approval on tests, management approval,
and a scheduled date of change.

46. Check to make sure that:
• The library control systems ensure that all
changes to production programs are
implemented by library control administrators
— and not the programmers who coded the
program
• Only the applications programmers involved in
the changes have access to application
programs under development

47. • Only systems programmers have access to
system programs under development
• Only library administrators have write access
to system and application libraries
• Access to live data is only through programs
that are in the application libraries

48. Database Security
• Access is controlled through discretionary
access controls (DACs) or mandatory access
controls (MACs).
• With DACs, access must be granted before a
user can gain access to a view.
• MACs secure information by assigning
classification levels or labels to data.

49. Network Assessments
• Obtain an understanding of the network
architecture:
– Review network diagrams and documentation
– Interview data network administrators
– Interview voice network administrators
– Interview network device administrators
– Review standards relating to networked systems
– Review planned migration to new technologies
– Review network software inventory
– Review network hardware inventory
– Identify business functions utilizing the network

50. • Obtain an understanding of network management:
– Identify network management tools and other utility
software used in managing the network
– Identify how the network management tools are utilized
– Identify the devices managed through network
– Identify plans or changes to network managers
• Obtain an understanding of network security
administration:
– Identify policies, procedures, standards, and guidelines for
network security administration
– Identify responsibilities for network security
administration
– Identify monitoring capabilities and reports used in
network security administration

51. • Obtain an understanding of new technology
assessments and deployment:
– Identify responsibilities for change control
– Identify audit/security participation in new technology
plans
– Identify documentation of risks in new technologies
– Identify general control strategy used in introduction
of new technologies
– Identify testing/acceptance methods used for new
technologies
– Identify review process for approval of new
technology plans

52. • Obtain an understanding of outage/threat
response capabilities:
– Identify tools and approaches to reducing risks
– Identify responsibility for emergency response
– Identify tools/strategies for responding to
emergency conditions
– Identify threat incidents and priorities

53. Emergency Response
• It is necessary to ensure that bugs, security
holes, and vulnerabilities are disseminated to
the appropriate individuals and that those
individuals are addressing the problem.
• Include follow-up efforts to ensure that alerts,
advisories, and fixes are applied in a timely
manner.

54. Remote Access
• For each of the dial-in connections, the following
activities will be performed:
• Evaluate external connections and dial access:
– Identify external network service providers
– Identify external network users (customers, business
partners, employees, service providers)
– Identify access methods
– Identify frequency of access
– Identify nature of access
– Identify services used for access
– Identify time-of-day access required
– Identify services used when access granted

55. • Evaluate network security features:
– Identify points of control for each access path
– Identify points of control for each service accessed
– Identify points of external control
– Identify nature of control points (intended for
authentication, monitoring, etc.)
– Identify level of functionality for each control point
– Identify responsibility for each control point
• Develop access path schematic:
– Document access paths and control points
– Report observations and recommendations