COMPUTER SECURITY AUDIT ANALYSIS

Information Security Plan

Goal : Detail the actions needed to improve the identified deficiencies in the organization's risk profile in a timely manner

Provide details like what will be done, what resources are needed and who are responsible.

Should include

Risks

Recommended controls

Responsible personnel

Action priority for each risk

Information Security Protection & Detection

Implementation plan

Plan documents

Identify personnel perform needed tasks

Monitor to ensure correct process

Management approves when completed

click to edit

Follow up

Evaluate changes

Continued maintenance and monitoring

Ensure controls perform as intended

Detect incidents

Reports from user or staff

By automated tools

Admin monitor vulnerability reports

Types of security incidents

Any action threatening classic security services

Unauthorized access to a system

Unauthorized modification of info on a system

Manage security incidents

Detection and Analysis

Containment, Eradication, Recovery

Preparation

Post-incident activity

Respond to incidents

Need documented response procedures

Documenting incidents

Identify vulnerability used

Recorded details for future reference

Consider impact on organization and risk profile

Information Security Control

Select suitable controls to treat the system to reduce risks

Management Control

Operational Control

Technical Control

Cost-benefit analysis

To identify which controls are msot appropriate and provide the greatest benefit to the organization

Include impact of implementing a new or enhanced control, the impact of not implementing it and the estimated cost of implementation

Factors

Reduce risk - Less expensive

Cost more than the risk reduction - Alternative should be used

Not reduce the risk sufficiently - Either more or different controls should be used

Provide sufficient risk reduction - Use it