Understanding Security Review Program

When do we consider that Information system assets are secure ?

We consider them secure when the expected losses that will occur over some time are at an acceptable level.

From the above it is evident that it is not possible to safeguard all assets and some loss is inevitable. It is also very important that the cost of control should not exceed the amount of expected losses. Hence acceptable losses should be defined for a given time period.

There are two types of information systems security:-

1. Physical security: - This protects the physical assets of an organisation i.e. personnel, hardware, facilities, supplies, documentation, etc.
2. Logical Security :- This protects data/ information and software

A security program is a series of ongoing, regular, periodic reviews conducted to ensure that assets associated with the information systems are safeguarded adequately. For the security administrators the initial security review is the most important exercise wherein he evaluates the extent of security required for the assets. The subsequent security review shall be modified to accommodate the changes happening in the ecosystem. It is best to draft a security policy to guide security practices within the organisation and to provide basis for subsequent evaluation of these practices.

Role of auditors: The auditor should evaluate whether security administrators are conducting security reviews on an ongoing basis as per the security program. Inadequate security systems casts a doubt on asset safeguarding and data integrity.

Steps to prepare Security review program

Prepare Project plan: A well-defined project plan brings clarity and gives direction to the security program. The plan should encompass the following

1. Objectives of the review
2.  Scope of the review
3. Tasks to be accomplished
4. Composition of the project team
5. Resources budget
6. Schedule and time limit for completion

The project plan should be formally documented. Tools such as Gantt charts and PERT charts can be used to document.

1. Identification of assets: Identification of assets can be a mammoth task depending upon the size of the organisation. The assets may be scattered across geographic locations in large organisations. The data administrator has to list down depending upon the size of the organisation and the type of assets it possess. Consider a case of an organisation having several thousand programs. The difficult part is knowing the level of aggregation at which to work. The finer the level of asset identification required, the more costly will be the process review.

2. Valuation of asset: Valuing an asset is a difficult task since different people will value assets in a different way. It also depends on the time for which the asset might be lost and also the age of the asset. For example loss of a customer file accidentally will be considered less serious by management then losing the file to a competitor. Some assets are easily replaceable some are not. It is also difficult to value loss of goodwill in case of system failure causing degradation in service. Similarly the loss of revenue cannot be valued in case of loss of customer file to a competitor.

3. Threat Identification: Threat can be from External sources or internal sources. They can be accidental (Eg. Acts of God, pollution) or deliberate (Eg. Hackers, sabotage by employees, competitors). The effects of some threats are very apparent while some are very subtle.

4. Threats likelihood assessment: After identifying potential threats the likelihood of occurrence should be assessed. This can be assessed on the basis of past data available and can also be assessed on the basis of information obtained from stakeholders.

5. Exposure analysis : In this step we analyse the following

• Identify the existing controls (Use of questionnaires, interviews, observation, documentation)
• Assess the reliability of the controls in place (Test controls wherever possible)
• Evaluation of likelihood that a threat will be successful given the set of controls in place
• Assessment of the loss that will be incurred in case of failure of control

Exposure to an asset arises when there is no control over the asset or the control is not sufficient to address the threat. To determine the loss it is essential to determine whether the asset will be lost, damaged, exposed, removed, destroyed or used for unauthorized purposes. The loss to the asset may be full or partial.

Controls Adjustment: The administrator must determine whether the existing controls needs to be modified or new controls brought in keeping in mind that the cost of designing, implementing and operating control should not exceed the expected losses.

Report Preparation: The report should document findings of the security review, suggest new safeguards or changes in existing systems.