:::: Titanium Technology Limited ::::

Methodology

Once the scope of the audit has been defined, we will submit a detailed audit plan to the client. This audit plan contains information about the various aspects of the IT infrastructure and processes that will be audited, along with the names of the auditors carrying out particular parts of the audit, the auditees expected to respond for those parts, and duration in number of hours. This helps the organization to ensure that proper resources are available to respond to our queries and provide us access to the systems.

The audit exercise will kick off with a study and analysis of the mission critical activities being supported on the IT infrastructure and processes within the scope. This step helps us to identify those business processes that must necessarily be kept up and running in order for the business to deliver on its promises to its clients, customers, shareholders, partners, employees and other stakeholders. Once the critical business processes have been identified, the risk assessment exercise will ensue. The critical stages of the risk assessment exercise are as shown below:

Determine the Information Assets

The Organization may be dealing with various Information Assets. These may include IT infrastructure, people, printed documents, etc. This step will determine those information assets, whose Confidentiality, Integrity and Availability must be ensured of.

Determine Value of Assets

In order to prioritize our risk assessment efforts, it is important to determine the value of these assets. The valuation of the assets is done in terms of impact to the organization if there is a loss of either Confidentiality, Integrity or Availability of the information. Of these three elements - CIA, it is important to also determine the loss of which these will cause the maximum impact.

Determine Vulnerabilities in the system

Vulnerabilities in systems are inherent weaknesses that occur either due to a design flaw or an implementation flaw. If there are any security weaknesses in the Organization due to design flaws, we will evaluate two options:
1. Introduce a workaround configuration that will protect from exploitation of that vulnerability
2. Introduce some other control that will reduce the impact due to that vulnerability

If the weakness is due to an implementation flaw that may occur at the place of usage, we will ensure that the Security Procedure documents clearly state this. This ensures that administrators will configure systems to eliminate this vulnerability.

Determine Threats to the system

Threats are events that will exploit a vulnerability in order to cause a loss of CIA. Threats are usually classified into Natural and Man-made. Some examples of threats to the Organization could be - hackers attacking the Organization, resource crunch that causes part or whole of the Organization to become non-operational, wrong data input that causes part or whole of the systems to malfunction, etc. There may be controls already in place for such threats. When evaluating the threats and their impact, we will take into account the controls that are already in place. For instance, if there are adequate input validation controls, the impact from wrong data input is highly reduced. The audit will assume the OSP to also be a threat in the sense that any lapse in the OSP documentation will automatically mean that the control has not been implemented. Therefore, the audit will ensure that the OSP is comprehensive, effective and mentions penalties for violations.
Not all threats are to be considered. For instance, threats from a cyclone may be ignored, whereas in a city like Mumbai Civil Unrest or Bandhs are serious threats that may affect the ability of the organization to function, and must be taken into account while drafting the OSP.

Determine Impact due to Threats

The impact of threat is directly related to the value of the asset. It is measured in terms of loss to the organization in case there is a breach of the asset that eventually leads to a loss of either Confidentiality, Integrity, Availability or a combination of these of the information assets.

Determine Risk from these Threats

The cumulative multiple of Vulnerability, Impact, and Probability of Threat give the Risk to the Organization. We will then rank this matrix in terms of Risk exposure. Risk may also arise from non-compliance of legal or regulatory requirements, and these will be considered here as well.

Determine Risk Treatment Plan

The organization may choose from one of the following four options to deal with the identified risks:
• T ransfer the risk, e.g. with an insurance cover
• A ccept the risk, e.g. if it is within the risk appetite of the organization
• R educe the risk, e.g. by implementing appropriate security controls
• A void the risk, e.g. by eliminating the Threat or Vulnerability completely
The Risk Treatment Plan must also clearly specify the Degree of Assurance (DOA) that the organization finds acceptable. In case, some of the risks are to be reduced or transferred, the Plan must also specify the responsibility for executing the management-approved action plan, and the timeline within which the measure is sought to be implemented.

Deliverables

The Security Audit report will contain the following:

Risk Assessment Matrix - Assets, Threats, Impacts, Vulnerabilities, Probabilities, Risk, and Suggested Countermeasures
Risk Treatment Plan - Degree of Assurance, Action Plan, Responsibility, Timeline, and Review Schedule

Why Titanium?

An experienced team of CISA, CISSP and ISO27001 (BS7799) auditors will ensure that the organization is given the highest possible degree of assurance and that controls are implemented in a cost-effective and practicable manner. The entire exercise will be conducted in accordance with the ISO27001 (BS7799) standards.