To address the subject of information security appropriately, an organization must analyze the status of its own information security. In the analysis phase, it must detail the as-is situation regarding people, processes, and technology. In this assessment to analyze its current situation, the organization should cover the following areas.

Dimension Topic Content

People Security governance and available skills

  • Roles related to security
  • Responsibilities
  • Organizational units and cooperation model
  • Job descriptions
  • Skill management
  • Segregation of duties

Processes Process framework

  • Security policy
  • Security architecture and applicable minimum requirements
  • Security standards
  • Continuous improvement
  • Data classification guideline
  • Process descriptions/procedures/guidelines
  • Asset and configuration management
  • Incident and problem management
  • Monitoring and event management
  • Encryption key and critical parameter management
  • Change management
  • Checklists and run books
  • Reporting

Technology Technical security architecture

  • Security zoning
  • Security perimeter
  • Security gateways
  • Communication matrix
  • Network and security architecture
  • Network and security concepts and designs
  • Security management and tools
  • Management access and centralized log files

After an organization determines the as-is situation, it must define the target situation to figure out the gaps between where it currently is and where it wants to be in terms of information security. The risk assessment delivers valuable insights for deciding what level of information security the organization requires in the light of real-world threat scenarios.