Overview of Spry Control Security Assessment Services

Security assessment is the review of current or future security controls, assessing if they are effective and efficient compared to security needs, and documenting the results. There are many types of security assessments considering the target, scope and coverage of security needs assessment.

Security assessments can be carried out at many levels including: company wide, business units, or smaller units or at a security program. Limited scope security assessments are useful for addressing specific security concerns or to assist in specific security programs, like physical or logical security of information, or policy and procedures affecting security regime. Alternatively an assessment may be called upon to address or investigate any known vulnerabilities.

The following depicts the relationship among various components and the extensive coverage and extent of Information System Security Assessment services from Spry Control:

Information System Security Assessment Target of Risk Assessment Policies & Procedures Technical Assessment Application System Wireless LAN    Clients Limited Scope Assessments Security Policy & Procedures Review Code Review System Architecture Review External Vulnerability Scan/font> Internal Vulnerability Scan War Dialing Social Engg Penetration Testing Larger Scope Assessments Information Risk Assessment, Security Audits, BS 7799 Gap Analysis, BS 15000 / ITIL Assessments, COBIT Assessment & BCP/DRP Review

Scope of Security Review

All security reviews require a proper scoping of the project. The extent of assessment and the subject of the security defines the perimeters of the project. Typical security review subject areas are listed below:

• The physical security has over-riding importance and is one of the layers on which system security is built. Included are:
• the site location and surroundings e.g., crime rate, accessibility, natural disasters
• the environmental issues e.g., temperature, humidity, fire suppression
the perimeter security e.g., physical access control, walls, fencing, lighting, surveillance
• administrative procedures e.g., training, surveillance

• The organizational structure can lend support or hamper the effectiveness of security controls. Some aspects to consider include:
• the reporting structure within the organization e.g., to whom does the head of security report?
• the active participation from IT steering committee, audit committee, and top management
• the allocation of the monetary and other resources
• the security roles and well defined responsibilities entrusted to IT security administrators and functional business owners.

• Policies and procedures are the documented sets of policies supported by standards guidelines and detailed sequential sets of instructions called procedures. These provide planned, repeatable, and documented approaches to implementing security controls. These include:
• policy framework including security policy
• access control procedures for recruitment and termination of employees, acceptable use policies, and system patch management procedures
• configuration management and change management
• review of how effectively the policies and procedures are employed and deviations approved

• The technology encompasses several components of an client's security environment and broadly defined as:
• The system encompasses the information system components, operating systems, business applications, and how these components are all put together. Security assessments of the system -host based- can be high-level (i.e., security architecture review) or low level (i.e. vulnerability scan assessment) or a combination.
• "Applications" refers to specialized programs running on top of operating systems. This requires unique processes for security assessment since applications are configurable software packages including ERP or even "custom built." The review is carried out by professionals that have experience and know-how of the package or development platform.
• Network technology has today become an enabler in many organizations with Local Area Network (LAN) and Wide Area Network (WAN). It affords choices and brings challenges. It is imperative to ensure that wireless LANs have been setup securely and that any intrusion can be detected on time and acted upon quickly. LAN once migrated to wireless provides easily accessible use and takes away the mess of chaotic wiring and cabling devices. This advantage brings a major security concern to the doorstep.
• The desktop includes the workstation assigned to individual users. These components of technology are unique in that they are more exposed to the actions of the user and additionally may include unique software and connectivity.