Information Security Assessment

The general objective of an Information Technology Security Assessment is to development a benchmark of your organization's security posture.

Depending on the level of detailed analysis performed, the assessment of a security policy is often confused with an audit. However, security assessments do not have to be all-encompassing.

An assessment can be performed on a specific aspect (i.e. wireless network, web applications, configuration of a firewall, etc...). An assessment is generally performed to obtain an objective evaluation of security posture and reveal weaknesses, vulnerabilities, threat contributing to your overall risk.

To ideally achieve the directive(s) of an assessment, it is important to specifically state what is to be executed in the statement of work (SOW).

Assessment Elements

• Review of an organization to advise management and/or professionals on how to improve their operation.
• Generally, three types: self-assessment, second party, or third party.

Assessment

• May be conducted using internal or external resources.
• An assessment is used to establish status relative to a standard or general requirement.