1. Field of the Invention
The present invention relates to information security assessments and, more particularly, to information security assessments based on one or more of information technology infrastructure characteristics, components, configuration, connectivity, and/or architecture, information handling policies, procedures, training, and/or awareness, enterprise type, and/or user area of expertise.
2. Related Art
Corporate and government enterprises rely on a variety of types of information, such as customer information, vendor information, personnel information, and regulatory filing/compliance information. If any of this information is compromised, whether by accident or malicious intent, then the business of the enterprise suffers. Assessing and improving information security is thus a goal of an enterprise.
Information security has both technology based elements and non-technology based elements. Deficiencies in either may compromise information security.
Technology based elements of information security typically include information technology (“IT”) infrastructure characteristics, components (hardware and software), configuration of the components (e.g., version and patch history of an operating system, routers, and firewalls), connectivity of the components, and architecture. Information security can be compromised by weaknesses and/or vulnerabilities in IT components, configuration of the IT components, connectivity of the IT components, architecture of the entire IT infrastructure or portions thereof. These are referred to as technology based vulnerabilities and risks.
For example, many technology components, hardware and software, have known inherent vulnerabilities and/or risks. Vulnerabilities and/or risks may vary by manufacturer, version, installed patches, etc. Similarly, the way in which IT components are configured may create vulnerabilities and/or risks to the information handled by the IT infrastructure. For example, hardware switch settings or software settings may be associated with known vulnerabilities and/or risks to the information handled by the IT infrastructure. Similarly, the way in which IT components are interconnected may create vulnerabilities and/or risks to the information handled by the IT infrastructure.
Non-technology based information security elements can include information handling policies, procedures, training, and/or awareness. Information security handling policy generally refers to guidelines, instructions, rules, and/or regulations for handling information. Information security procedure generally refers to specific step-by-step instructions for implementing security handling policies. Information security policies and procedures tend to vary by enterprise type and by the type of information being handled.
Depending upon the context, information security policies may also refer to policies implemented within an IT infrastructure, such as firewall policies, for example. Vulnerability and risks associated with this category of information security, however, generally falls under the rubric of technology based vulnerabilities and risks, rather than non-technology based vulnerabilities and risks.
A fundamental goal of an information security policy is to communicate to everyone in an enterprise that information is a valuable asset to the enterprise and that everyone is responsible and accountable for protecting the information. A security policy is a visible representation of security considerations, requirements, priorities, assumptions, and responsibilities.
A security policy provides many benefits to an enterprise, including, without limitation:                demonstrates management commitment to protecting enterprise information;        provides cost benefit analyses of security measures to mange risk and protect enterprise assets;        supports an enterprise's mission and goals and acts as an enabler for the enterprise;        identifies what information must be protected;        establishes who is responsible for protecting information;        provides unambiguous expectations for employee conduct and responsibility;        provides consequences of misuse;        minimizes negative exposure to the enterprise by limiting liability, negative press, etc;        guides product selection;        ensures proper implementation of IT.        
Security policies are developed by identifying information to be managed, determining the value of the information, determining the way the information is used, identifying who creates and uses the information, assessing risks to the information, and deriving requirements for protecting the information.
Information security can be compromised by deficiencies in IT infrastructure characteristics, components, configuration, connectivity, and/or architecture, and/or by deficiencies in information handling policies, procedures, training, and/or awareness.
In order to protect information, an information security assessment should be performed to identify any deficiencies in systems and/or processes. A proper information security assessment results in corrective measures and policy fixes that are appropriate for the types of information used by the enterprise, the way(s) in which the information is used, and the nature of the threats facing the information, and vulnerabilities associated with the systems and processes.
What is needed, therefore, is a system and method for assessing information security that takes into account technology based vulnerabilities and risks and non-technology based vulnerability and risks.
Information security vulnerabilities and risks vary by enterprise type. This is due, in part, to types of information handled by different types of enterprises, different types of threats faced by different types of enterprises, and/or different IT infrastructures. Thus, government enterprises, for example, may have different vulnerabilities and risks than commercial enterprises.
What is needed, therefore, is a system and method for assessing information security that takes into account an enterprise type, including consideration of any industry specific vulnerabilities and risks.
Within an enterprise, information needed to properly assess information security may not rest with a single individual or even within a single group of individuals. For example, IT information may be spread among multiple individuals or groups of individuals. The individuals or groups of individuals may be geographically diverse. For example, wide area network (WAN) knowledge might be with a WAN administrator, local area network (LAN) information might be with a LAN administrator. Other types of IT information might rest with one or more server administrators, IT supervisors, a CIO, etc.
Similarly, policies and procedures may vary within an enterprise depending upon the type of information being handled. For example, financial information, intellectual property information, human resource information, employee information, merger and acquisition information, regulatory information, and other types of information, may each have their own policy and procedure. Different individuals and/or groups of individuals may not be necessarily be aware of, or need to be aware of, policies and procedures outside of their respective areas of expertise.
What is needed, therefore, is a system and method for assessing information security that considers users' areas of expertise. Such a method and system should interview a plurality of users, based on each user's area(s) of expertise, to help insure that questions are answered accurately by qualified users, and to obtain an overall picture of information security within an enterprise.
An enterprise may define itself in terms of departments, subsidiaries, or other terms (generally, “domains”). Domains may be legally distinct domains or enterprise defined domains. domains may or may not be geographically based. Different domains within an enterprise may have similar and/or distinct information security issues to be addressed. For example, two or more domains within an enterprise may have substantially similar information security concerns, including technology based concerns and non-technology based concerns. On the other hand, two or more domains within an enterprise may have distinctly different information security concerns, including technology based concerns and non-technology based concerns.
What is needed, therefore, is a system and method for assessing information security that takes into account domains within an enterprise. Such a method and system should include a process for rolling-up information security information from various domains to perform an enterprise wide information security assessment.