Information Technology Security Assessment

Information Technology Security Assessment (IT Security Assessment) is an explicit study to locate IT security vulnerabilities and risks.^[1]

There are many reasons that a company would wish to run a security assessment and the kind of assessment that is ultimately chosen is purely dependent on the specific needs of the company ordering the service.

• For one thing, companies may wish to learn more about who can access their systems and at what permission level they have when they do. This type of assessment is common among companies which run membership sites that deal with payment issues and services, and where having the wrong people accessing the wrong areas of the system could potentially cause a lot of harm. Another type of assessment is insurance-based. It is not uncommon for a company that depends on their IT systems to wonder what would happen if some part of their system was to fail. A security company can run the appropriate tests and offer the correct guidance to safeguard against any possible loss in information or time.
• There are also many network-related issues that must be taken into consideration. From web content filtering to firewall and intrusion detection to remote access controls, there are a multitude of settings and and configurations that need to be taken into consideration if a company wishes to remain secure.

Companies that conduct security assessments on IT systems and networks follow a fairly standard pattern. They must first observe the system and all of its components to identify the requirements of the task at hand. After the problems and scope have been identified, most companies will then create an action plan to present to their customer. Following that, vulnerability scans, penetration tests, and a few other common methods of testing the security level of a system are conducted.^[2]

IT security risk assessments like many risk assessments in IT, are not actually quantitative and do not represent risk in any actuarially-sound manner. Measuring risk quantitatively can have a significant impact on prioritizing risks and getting investment approval. Quantitative risk analysis has been applied to IT security in a major US government study in 2000. The Federal CIO Council commissioned a study of the $100 million IT security investment for the Department of Veterans Affairs with results shown quantitatively.

See Also

References