We use a standard IS Security Assessment
methodology. The methodology focuses on aspects of data security such as
confidentiality, loss/corruption of data and the associated business impact.
The methodology recognises data as being a corporate asset and evaluates the
risks associated with the disclosure or loss of data and brings out
avoidance and mitigation measures.
Our approach is based on the International Standards and essentially follows
the following framework:
This basically is the process of analysing and interpreting the risk and
covers 3 basic activities:
Determining the assessment scope
Collecting and analysing data including asset valuation, consequence
assessment and threat identification, safeguard analysis, vulnerability
analysis and likelihood assessment.
Interpreting risk assessment results.
We test the controls and assess whether such controls are good enough for
minimising the risks. In the process we suggest /recommend security controls
to reduce risk to an acceptable level to the management. The following
activities are discussed in a specific
Accept residual risk
Testing the existing controls to ensure that they are effective
Implementing, controls and monitoring effectiveness
While proposing security controls, we carry out the cost benefit analysis to
ensure that cost of the control does not exceed the cost of risk. For
testing, we use Automated tools, Internal Controls (computer based and non
computer based), Security checklists, Penetration testing tools etc.
We also take part in the development, implementation and maintenance of IT
Security Policy and Procedures which broadly covers the following:
Personal and User Issues
Computer security incident handling
Awareness and Training
Security considerations in operations and maintenance
Physical and environmental security
Identification and Authentication
Data Handling Review
The review seeks to evaluate the management of data standards and data
management and to evaluate controls over the development and implementation
of data conversion systems and system interfaces.