SRAA (Security Assessment and Audit)

What is SRAA (Security Assessment and Audit)?

A SRAA (Security Assessment and Audit) identifies, assesses, and implements key security controls in applications. It also focuses on preventing application security defects and vulnerabilities.

Carrying out a risk assessment allows an organization to view the application portfolio holistically—from an attacker’s perspective. It supports managers in making informed resource allocation, tooling, and security control implementation decisions. Thus, conducting an assessment is an integral part of an organization’s risk management process.

How does a SRAA (Security assessment and audit) work?

Factors such as size, growth rate, resources, and asset portfolio affect the depth of risk assessment models. Organizations can carry out generalized assessments when experiencing budget or time constraints. However, generalized assessments don’t necessarily provide the detailed mappings between assets, associated threats, identified risks, impact, and mitigating controls.

If generalized assessment results don’t provide enough of a correlation between these areas, a more in-depth assessment is necessary.

A successful SRAA (Security Assessment and Audit) model are:

• Identification. Find out all critical assets of the technology infrastructure in the environment. Then, diagnose sensitive data that is created, stored, or transmitted by each assets.
• Assessment. Assess the security risks for each critical assets. After security assessment, find out how to effectively and efficiently assign time and resources for the mitigation of risks. The assessment approach or methodology must analyze the threats, vulnerabilities to mitigate controls.
• Mitigation. Define a mitigation control and implement security controls for each risk.
• Prevention. Implement processes or protection to minimize threats and vulnerabilities in firm’s IT environment or resources.

SRAA (Security Assessment and Audit) Services provided

ITSec Security Consulting Limited offer both Security Risk Assessment (SRA) and Security Audit (SA) as 3rd party independent assessor / auditor to fulfill all security standard on SRAA.

Although methodology is standardized, scope, coding and systems varies in different types of projects. The following catalogue are samples of the services provided:

• Application specific
• – Web based Application
• – Mobile App (Android or IOS, or both)
• – Legacy Client / Server based
• – IOT device

• Network specific
• – Public Cloud infra-structure (Azure, AWS, etc.)
• – On-Premises External Network (Internet Facing)
• – On-Premises Internal Network
• – On-Premises Wi-Fi Network
• – Hybrid Network including On-Premises Network & external IOT Device

• Platform Design & Implementation specific
• – Microsoft 365 & SharePoint
• – ERP / CRM system
• – Portal / CMS based (e-Learning / e-Leave ) system
• – Membership management system

• Infra-structure specific
• – Switch, Firewall, Intrusion Detection / Prevention System, End-point devices
• – SIEM / Log Management System
• – Central Control & Monitoring System
• – Security Cabinet integration with facilities such as CCTV, RFID, access lock
• – Activity Tracking / Anti-wandering System (Health-care specific)
• – Indoor Positioning System (Health-care specific)

• Technology specific
• – Dynamic Application Security Testing (DAST) – automatic application security scan
• – Static Application Security Testing (SAST) – application source code security scan
• – Credential Scan – automatic application / network scan with given access privileges
• – Penetration Test (in either White-box / Black-box / Grey-box approach)

SRAA (Security Assessment & Audit) Methodology

Security Assessment

Primary Methodology is based on international standard ISO27001 and OGCIO Practice Guide, which includes the following components and processes

(1) Planning

• identification of level of criticalness: e.g. testing environment, pre-production environment
• identification of data confidentiality level: e.g. confidential, public
• identification of phsyical and logical boundary from IT security aspect
• identification of assessment tool(s)
• plan accordingly the approach, methods, and assessment tools to be used
• identification of possible service interruption and the necessary recovery procedure

(2) Information Gathering

• gather evidences such as the followings for Technical Review:
  • security requirements and objectives
  • system and network architecture and infrastructure
  • applications and server’s information
  • access controls, processes, identification and authentication mechanisms
  • documented or informal policies and guidelines etc.        

(3) Risk Analysis

• Determine Risk of IT Asset based on the following processes:
  • asset identification and valuation
  • threat analysis
  • vulnerability analysis
  • asset/threat/vulnerability mapping
  • impact and likelihood assessment
  • risk results analysis

(4) Identification and selection of Safeguards

• Identify and recommend relevant measures based on the results of risk analysis to reduce the likelihood and impact of identified threats and vulnerabilities to an acceptable level.

(5) Monitoring and Implementation; Reporting and Remediation Recommendation

• Security Assessment (SRA) Reporting – typically include the following information:
  • introduction and background information;
  • executive summary
  • assessment scope and objectives
  • assumptions and limitations
  • methods and assessment tools used
  • current environment or system description with network diagrams, if any
  • security requirements
  • summary of findings and recommendations
  • risk analysis
  • recommended safeguards
• Properly documented results enable the SRA process to be audited. This also facilitates on-going monitoring and reviewing.
• Re-assessment or Security Audit (SA) are common ways to review the implementation of security measures.

Benefits of SRAA (Security Assessment and Audit)

To provide a complete and systematic view to management on existing IT security risk and on the necessary security safeguards.

To provide a reasonably objective approach for IT security expenditure budgeting and cost estimation.

To enable a strategic approach to information security management by providing alternative solutions for decision making and consideration.

To provide a basis for future comparisons of changes made in IT security measures.

Frequency of Security Assessment and Audit

Security assessment is an on-going activity. For a new information system, the assessment should be conducted early in the system development life cycle so that security risks can be identified and appropriate security controls can be selected at early stage.For an existing system, it shall be conducted at least once every two years or when major changes are made to explore the risks in the information systems. A security assessment can only give a snapshot of the risks of the information systems at a particular time. For mission-critical information system, it is recommended to conduct a security assessment more frequently.

Type of Security Assessment and Audit

Depending on the purpose and the scope of the assessment, security assessment can be categorized into different types. The exact timing depends on your system requirements and resources.

High-level Assessment: This assessment emphasizes on the analysis of departmental security posture as well as overall infrastructure or design of a system in a more strategic and systematic approach. In such assessment, company with many information systems are looking for a high-level risk analysis of their information systems rather than a detailed and technical control review. It can also be applied for system at planning phase to identify risks or review general security controls before design of the system.

Comprehensive Assessment: This assessment is typically conducted periodically for the security assurance of information systems of a company. It can be used to evaluate the risks of a particular system in a company and to provide recommendations for improvement. General control review, system review, and vulnerability identification will be conducted during the information gathering stage. A verification process should be followed to ensure all recommended remedies are properly followed up.

Pre-production Assessment: Similar to the works performed in a “Comprehensive Assessment”, this assessment is commonly conducted on a new information system before it is rolled out or after there is a major functional change. For a new information system, each company should conduct security review in the design stage of the system, which serves as a checkpoint to ensure necessary security requirements are identified and incorporated in the system design stage or other phases appropriately. The pre-production security risk assessment should verify the follow-up actions of the security review to ensure necessary security measures and controls are implemented in the system properly before production rollout.

Roles and Responsibilities of Stakeholders

Roles and responsibilities of all parties involved should be carefully defined. A team or group of individuals representing a variety of disciplines with assigned responsibilities is recommended to best accomplish the assessment. Depending on the availability and requirements, some or all of the following members may be included:

System or information owners

• IT security officers
• System or network administrators
• Computer operational staff
• Application or system developers
• Database administrators
• Users or senior users
• Senior management
• External contractors

Find Us immediately for the Security Assessment in Hong Kong, United Kingdom, Europe, Estonia, Singapore…

Facebook:

https://www.facebook.com/ITSec-Security-Consulting-237738580247975

Google:

https://itsecsecurityconsulting.business.site/?m=true

Case Reference:

SRAA (Security Assessment and Audit) Case Reference