Scribd
Upload
43 views1 page

3.1 Phase I - Planning

1) The first phase of security initiatives is planning, which begins with information gathering. Different organizations may initiate security efforts for various reasons such as changes in management, realized losses from outages, or proactive concerns about investments. 2) During information gathering, details are collected to understand the full IT infrastructure and serve as a basis for risk assessment. 3) ISSAF provides a questionnaire to standardize information gathering, with questions addressing areas like system activity log retention policies and dependencies on key services.

Uploaded by

o7952612
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
43 views1 page

3.1 Phase I - Planning

1) The first phase of security initiatives is planning, which begins with information gathering. Different organizations may initiate security efforts for various reasons such as changes in management, realized losses from outages, or proactive concerns about investments. 2) During information gathering, details are collected to understand the full IT infrastructure and serve as a basis for risk assessment. 3) ISSAF provides a questionnaire to standardize information gathering, with questions addressing areas like system activity log retention policies and dependencies on key services.

Uploaded by

o7952612
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 1

3.

1 PHASE I – PLANNING
3.1.1 Information Gathering
Security initiatives normally do not have the same set of triggering events within
organizations. In some instances a change in management could result in a focus on
security as a critical requirement. In other instances it could be triggered by the
realization of losses caused by systems outage. In other instances it could be the
result of a proactive approach by managers concerned about the outcome of their
investment. Whatever be the triggering event, the fact remains that information has to
be gathered to substantiate the underlying concern. If an auditor is concerned about
the retention period of system activity logs, he cannot make a business case unless
he is able to substantiate the need for backing up activity logs with the specific non
repudiation based legal or compliance requirements that he is basing his
requirements upon. If there is a business dependency on a particular information
service such as email, it is incumbent upon the process owner of the concerned
business function to identify the potential losses that could accrue from an hour, a
day, or a week of systems outage caused by a virus or other such likely threats.
Otherwise it would be impossible for those responsible for authorizing the requisite
investments to make an informed decision in this regard.
Information gathering therefore seeks to assemble a complete picture of the
information technology infrastructure to serve as the basis for the next phase, namely
risk assessment.
ISSAF has assembled a set of questions that can serve as the basis for this
information gathering in a document titled ISSAF – Information Gathering
Questionnaire. It is recommended that the security practitioner collates this
information and analyze their findings prior to moving to the next stage namely,
preparing the business case to align management of security as a priority.

You might also like