What are the methodologies for Information System Security?

A methodology is a targeted build that represents specific practices, processes, and rules for accomplishment or execution of a specific task or function. There are several methodologies for information system security which are as follows −

INFOSEC Assessment Methodology (IAM) − Its objective is to provide a method that can be used as a consistent control for the investigation of the INFOSEC position of automated information systems. IAM is concentrated on providing a high-level assessment of a specified, operational system for the reason of recognizing possible vulnerabilities.

IAM is subdivided into three phases such as Pre-Assessment, On-Site Activities, and Post-Assessment. The Pre-Assessment phase is proposed to construct up a general perceptive of user needs, define target systems, and institute the rules of engagement for the assessment. Pre-Assessment achieves with a written measurement plan.

The On-Site Activities segment shows the basic thrust of IAM in that it creates the effects of the Pre-Assessment Phase, validates those effects, and performs more data assembly and validation.

INFOSEC Evaluation Methodology (IEM) − Its objective is to provide a technique for technically assessing susceptibility in systems and to legalize the real INFOSEC design of those systems. The IEM is an escort methodology to IAM, fitting under the entire umbrella of the IA-CMM framework, but target Level 2 of the “Vulnerability Discovery Triad.”

The differentiation between IAM and IEM is that the IEM implements actual handson assessment of systems to authenticate the real existence of vulnerabilities, against the IAM’s result of document probable vulnerabilities in those systems.

IEM is separated into three stages such as Pre-Evaluation, On-Site, and Post Evaluation. The Pre-Evaluation phase begins with taking the IAM Pre-Assessment document as input and then coordinating the regulations of engagement for carry out technical assessment of the systems under goals. This phase removes with a Technical Evaluation Plan.

The On-Site phase of the IEM then shows the size of the hands-on technical work, implementing diverse discoveries, scans, and evaluations. All findings are physically validated to make efficiency.

Finally, the Post-Evaluation phase achieve the methodology in a way same to the IAM by pulling all data produced, putting it into a final document that details findings, suggestions, and a security roadmap.

Security Incident Policy Enforcement System (SIPES) − Its objective is to provide a methodology for defining and implementing a Security Incident Policy Enforcement Systems. This methodology is prepared for fullness.

The Security Incident Policy Enforcement System (SIPES) draft shows a relatively abstract method to addressing the complexity of incident response management. The paper starts by deconflicting the definition of failure internal IT systems and then proceeds to construct its “statefull” methodology.