Frequently Asked Questions (FAQ)

1. Why ISSAF?

Why Information?
Information is the primary enabler for business transactions. Without being able to record, process and report transactional data, the organization would be unable to deliver the desired results. This data becomes useful when it is used as the basis for analyzing performance and other critical considerations to arrive at an informed decision. IT as a department is therefore primarily concerned with supporting the recording, processing and reporting of transactional data, that is used to create the required information.

Why Security?
Significant investments and ongoing annual overheads are required to support the technology infrastructure used to capture, transport, store and deliver the services required to manage information. Security professionals were the first to recognize the need to protect these concomitant investments to enable information delivery. If information is not available to the right person, at the right time, in the right place, the ability of the person to perform his business function could end up being significantly impaired. Security as an organizational function can provide assurance to requisite stakeholders about the non repudiation of transactions, meet compliance requirements with respect to financial reporting, and protect information assets from damage/theft.

Or more importantly why NOT ISSAF …

Options today are not limited. From governance models such as COBIT, through control structures such as BS7799, to assessment methodologies such as IAM et al many alternative approaches have evolved to address information security requirements. ISSAF chose to address what is currently lacking today viz. a comprehensive framework that integrates the above security related domains implemented using field tested checklists, questionnaires, procedures and tools delivered using a proven engagement structure.

It provides technology based risk assessment checklists complemented by a mapping tool that provides management with a graded risk analysis report.

Internal control questionnaires supplement this material by reviewing business continuity priorities, security policies, organizational structure, compliance management, and IT operations (configuration, capacity, patch, performance and change management)

At a fundamental level it provides a set of proven penetration testing procedures/tools. ISSAF is unique in the level of detail and depth of technical know-how that has been brought to bear on this most arcane of security related disciplines, and this we believe positions us as the most practical of all security related alternatives out there.

Why an open framework?
OISSG has chosen to not restrict itself to fee paying, card carrying members to respect the spirit and tradition of the open source community that form their constituent majority. ISSAF will continue to evolve as open-source to respect the contributions of it’s members and to help the framework grow in a transparent community oriented process. As such we expect this framework to undergo further revisions before it stabilizes into the comprehensive framework that we have defined as the goal for our organization.