Overview of Spry Control Security Assessment Services

The following depicts the relationship among various components and coverage and extent of Information System Security Assessment services from Spry Control. Further details on Target of Risk Assessment and Limited Scope Assessments are available here.

Larger Scope Assessments

Larger scope assessments are broad and involve an overall evaluation of the client's ability to enforce confidentiality, integrity and availability (CIA) of assets. The assessment is enterprise-wide, flow from regulatory compliance or corporate policy, broadly defined, architected and crafted with respect to objectives to be achieved. These assessments are for internal use to prioritize security work or for external use of customers and regulatory agencies for compliance. Limited scope assessment has specific scope, focus on a detailed review, specific deliverables, and technical orientation. These engagements are periodic and used for sustainable security environment and are mostly for middle and/or top management's consumption..

The following are typically the only objectives for a comprehensive security review:

• Self-Improvement is to obtain an independent review of the client's ability to protect valuable information assets to prioritize the risks and implement the most cost effective control measures in order to mitigate the key information security risks. This is commonly known as information risk assessment.
• Assurance is to obtain an independent review of the client's ability to protect information assets and share this review with prospective customers, stakeholders, investors, or partners to assure them that the client is providing adequate controls to protect the information assets.

Information Risk Assessment

Even the best security program can benefit from an independent review of its effectiveness. An independent review of the client's existing security program will verify those elements that protect its IT assets, those areas that are lacking, and pinpoint areas of improvements from a detailed review. A system security review covers all elements of the client's security program including site protection, policy, procedures, and organization, security infrastructure, network, systems, desktop and application security controls. The security assessment covers detailed key components, depending on initial assessment, of security program detailed in Limited Scope of Assessments.

Security Audit

The successful and continued relationship with some outside organizations and regulatory agencies depends upon or requires the effective control of the client's information assets. Assertions from the client that its control measures are effective typically need to be substantiated and by itself do not satisfy these stakeholders. Spry Control provides an independent audit of the client's security controls from experienced and credentialed security engineers. Spry Control is well-versed in industry regulations and industry standards including BS 7799 / ISO 17799, ISO 15408, COBIT, etc. A security audit covers all required elements of the client's security program, depending on the industry this may include: physical protection, policy, procedures, organization, security infrastructure, system, desktop, and application security controls. The security assessment covers detailed key components, depending on initial assessment, of security program detailed in Limited Scope of Assessments.

The followings are the specific audit guidelines used for assurance:

• British Standard BS7799 or International Standard ISO 17799 provides guidelines for safeguarding the client's information assets. It helps business managers and staffs set up and manage an effective information security management system (ISMS). Spry Control can effectively conduct timeline audits of the clients that are BS 7799 or ISO 17799 certified, as well as can assess the client's preparedness for the certification. The relevant applicable controls will be assessed for effectiveness and efficiency.
• BS 15000/ITIL is the British standard that provides guidelines and assesses organizations to be ITIL (Information Technology's Infrastructure Library) compliant. Service management (Service delivery and Service support) processes are assessed by Spry Control to ensure that they comply with ITIL guidelines.
• ISACA's guidelines and controls for Information Assurance formulate the COBIT. (Control Objectives for Information and related Technology). Spry Control consultants, many of whom are CISAs, (Certified Information Systems Auditors), and/or CISSPs (Certified Information System Security Professionals) can evaluate and assess your organizations' compliance to the COBIT framework for effective IT Governance. Controls at a granular level can be audited to check compliance against COBIT.

Disaster Recovery Plan (DRP) and Business Continuity Plan(BCP)

An updated and actionable Business Continuity Plan (BCP) or a Disaster Recovery Plan (DRP) assures continuity of business in all eventualities. The client may have insufficient in-house skills to make a reliable and actionable DRP and BCP. Spry Control helps them in this area with an updated DRP prepared on business Impact Assessment (BIA), critical business systems and infrastructure, data backup strategy, organizational arrangements, technical arrangements and harness all of them into an effective DRP. Periodic testing and changes in DTP are an integral part of DRP services to the client. BCP is again prepared on BIA for continuity business by manual recording or processing of information, if information assets are hampered or non-available.

Overall Security Assessment                                 Limited Scope Engagement
Corporate Governance    SOX Compliance     Other Regulatory Compliances