We are now living in an age when information systems and networks are becoming a critical infrastructure, supporting government, economics, society and our life. Taking measures for information security is absolutely imperative. In the worst case, security vulnerability inherent in organizations and their information systems may actually become serious enough to threaten the continuity of business and our daily life. Therefore, it is essential for executives in organizations to assess the threats and vulnerability of the information system and apply the proper risk management strategies. In order to take effective measures against such a threat, appropriateness of applied control should be evaluated carefully. Without valid evaluation, effectiveness of countermeasures will never be guaranteed. ISMS conformity assessment scheme, information security audit, vulnerability test (i.e. vulnerability audit or vulnerability assessment), and information security benchmark are examples of assessment methods for IT security. Furthermore, we can point out other example of IT security evaluation and certification program to verify and certify security products or systems. Concerning each of these appraisal methods, we can find significant quantity of standards, guideline, technical reports, and documents. This paper will present a comprehensive vision of information security evaluation and assessment by distinguishing a difference among these various methods.
View full abstract