ISO 17799 risk assessment

Purpose. To assess the current information security status of a company. This knowledge is useful in order to improve the security of all the company's information assets, as well as to prepare for an external audit to be used in communications with various external entities, such as insurance carriers, business partners, etc. This risk assessment is often the initial phase of adoption of a more formal information security program.

Methodology. Includes information gathering via interview and document review, testing of critical infrastructure, analysis of the information obtained, and reporting in relation to the Information technology - Code of practice for information security management defined in ISO/IEC 17799.

Testing. Testing to be performed depends on the needs of the client but for a complete assessment would include all of the following:

• Review configuration of standard servers
• Review router ACLs
• Scan key systems for vulnerabilities
• Scan selected subnets from internal address space in order to verify proper network control and segmentation
• Scan selected subnets from external address space in order to verify proper network control and segmentation
• Survey campus for rogue wireless access points
• Survey telephone number block for unapproved modems on company network.
• Survey of physical access controls relative to critical information assets.

Deliverables.

1. Immediate, informal notification of any critical vulnerabilities which are discovered. Either verbally or in email, MSB will inform appropriate client management of any vulnerabilities which should be immediately addressed, as these are identified.
2. A formal, written report which assesses the security posture of the client. This report will contain at a minimum an executive summary; a list of vulnerabilities or other deficiencies found in security policies, processes, procedures, controls and the security organization; and recommended actions for remediation. Technical references will be provided, as appropriate.
3. A written overview of current client capabilities in regard to the 10 categories defined in ISO 17799, i.e. a capabilities model scorecard.
4. Either a project plan which outlines the actions needed to address deficiencies in Yahoo! capabilities in regard to the ISO 17799 model, or input to existing client project planning for the same purpose, at the discretion of the client.
5. Optionally, a presentation to or for client executives that summarizes the results of the assessment.