Page 90 - Cyber Warnings
P. 90
loss of data or in other ways. Also, if threats have happened in the past, these must also be
factored in because they provide more information to the organization.
• Evaluate the controls already in place – key controls and non-key controls should be observed
and the organization should evaluate how these controls are currently working. Also, controls
should be looked at as to whether they are needed or not.
Types of Security Assessments
Liu, Kuhn, and Rossman (2009) stated that there are two types of security assessments that
include analysis and evaluation. In analysis, Scarfone (2012) stated that there are several types
of reviews that an organization can do that include reviews of documentations, logs, ruleset and
system configuration, network sniffing, and file integrity checks.
There are also target identification and analysis techniques and network assessments.
All of these assessments can be done by an organization over time. Atyam (2010) suggested
that there are several stages within the security assessment process. All phases should be
centered on identifying the various aspects of the business and understanding how each aspect
of the process is functioning to prevent security risks.
Atyam also stated that assessment is the first step in determining whether security is working.
Who Should Be Involved
Radack (2012) stated that all people within an organization have role in the process of security
assessment because managing risk s both comprehensive and complex and involves many
different activities within the organization.
Radack suggested an integrated approach to security assessment because different individuals
have valuable information to provide in the assessment. When the assessment should be done
depends on the regulations set out by local, state or federal information.
Conclusion
There are many issues to take into consideration when creating a risk assessment. The
organization must first analyze what they are going to look for and then evaluate the process. All
employees within the organization should be a part of the process of evaluation and this
evaluation can be done internally because the employees have a better understanding of the
organization.
Assessments are done depending on the regulations from the local, state, or federal programs.
90 Cyber Warnings E-Magazine November 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
