Security Risk Assessment & Audit (SRAA)
Understanding potential vulnerabilities and threats to your IT infrastructure
Compliance with the requirements set by the Office of the Government Chief Information Officer (OGCIO)
Strengthen security controls & protect sensitive information
Unbiased and objective assessment
What is Security Risk Assessment (SRA) & Security Audit (SA) ?
SRAA is intended to be carried out at planned intervals and after significant changes.
Who is SRAA suitable for?
What are the benefits of SRAA?
How does SRAA works?
Security Risk Assessment and Audit (SRAA):
Planning plays a crucial role in identifying and choosing the most effective and efficient approaches for conducting the audit or assessment.
The following key elements should be defined before audit/ assessment:
- Project scopes and objectives
- Background information
- Constraints
- Roles and responsibilities of stakeholders
- Approach and methodology
- Project size and schedule
- Data and tools protection considerations.
Security Risk Assessment and Audit (SRA&A):
The goal is to gain an understanding of the existing system and environment. The following types of information are often gathered:
- Security requirements and objectives
- System or network architecture and infrastructure, including network diagrams illustrating asset configuration and interconnections
- Publicly available information and web page content
- Physical assets such as hardware equipment
- Systems like operating systems and network management systems
- Content such as databases and files
- Application and server information
- Networking details such as supported protocols and offered network services
- Access control measures
- Processes such as business, computer, network, and application operation processes
- Identification and authentication mechanisms
- Applicable statutory, regulatory, and contractual requirements for minimum security controls
- Documented or informal policies and guidelines
Risk Analysis (SRA):
It is crucial for determining the value of assets and assessing associated risks. It is essential to perform risk analysis on various aspects, including but not limited to:
- Human resource security
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development, and maintenance
- Outsourcing security
- IT security aspects of business continuity management
In general, the risk analysis process can be divided into several sub-processes, which include:
- Asset identification and valuation
- Threat analysis
- Vulnerability analysis
- Asset/threat/vulnerability mapping
- Impact and likelihood assessment
- Analysis of risk results
- Improvement actions by organizations
Improvement by the Organization
Typically, the organization will take actions to address the risks identified from SRA, before performing a following security audit. Nevertheless, a security audit may be performed without a SRA, depending on the organization's needs.
Security Audit (SA):
Following meticulous planning and data collection, security auditors can carry out the following activities:
- Conduct a comprehensive review of the existing security policies or standards within the defined audit scope.
- Perform a thorough examination of security configurations.
- Conduct technical investigations using various automated tools for diagnostic reviews and/or penetration tests.
The scope of the audit will determine which systems or networks are involved in the security audit.
Our SRA or SA service may not exactly follow the steps or items in the guidelines of other parties or authorities.
Security Risk Assessment and Audit (SRAA):
After completing the audit / assessment, a security audit report / assessment report will be delivered, addressing the above topics.