Design & Validate Assessment Strategies
It is critical that organizations develop an effective strategy to regularly test, evaluate, and adapt their business and technology environment to reduce the probability and impact of successful attacks. In this part of this tutorial, we’ll take a look at edesign & validate assessment strategies to help you understand the different aspects of assessment.
Organizations need to implement a proactive assessment and test strategy for both existing and new information systems and assets. The strategy should be an integral part of the risk management process.
In an Information System, Audit is referred to a systematic, technical assessment of an organization’s security policies. An audit process depends upon the following phases:
- Determination of goals and scope
- Selection of Audit team
- Audit planning and preparation
- Conduct an Audit
- Issuing the review report
There are three basic perspectives for planning for an organization’s assessments, testing, and auditing:
- Internal: This represents assessments, testing, and auditing performed by personnel who are a part of the organization, and these are typically planned for internal audiences. This strategy should be aligned with the organization’s business and routine operations. The advantages of using this strategy include lower cost and greater familiarity with the organization’s practices and systems. In many organizations, the Chief Audit Executive reports directly to the President, Chief Executive Officer, or even organization’s governing board.
- External: These audits are performed by an outside auditing firm. Some laws and regulations, as well as contractual obligations, may require external assessments, test, and audits. In fact, an external audit strategy should complement the internal strategy. The greatest advantage of using external personnel is that they’re objective.
- Third parties: This is all about audits of critical business activities that have been outsourced to external service providers, or third parties. Depending upon requirements in regulations, and contracts, these assessments of third parties may be performed by internal personnel and or external personnel. So, a third-party audit can ensure that both internal and external auditors are following the processes and procedures that are defined as part of the whole strategy. Examples of such audits include SSAE 18, SOC-1, and SOC-2.