The ongoing digitalization in the business world has led to a situation where information technology security forms an integral part of all enterprises. The need for comparable and measurable methods has resulted in the development of numerous standardized activities that can be undertaken in order to estimate the exposure to existing threats. In this paper, we present various approaches to the verification, evaluation and confirmation of the operational effectiveness of security controls implemented in complex IT systems. Individual techniques are represented by IT risk assessments and penetration tests. We analyze them from a theoretical perspective, and present records of case studies conducted. As a result, we are able to verify how these activities can be applied in real-world IT environments. The results of our work mean we can conduct further investigation into finding the optimal approach to the problem of ensuring sufficient security whilst preserving an acceptable risk-business trade off.
[1]
Nuela Guananga,et al.
Auditoría de la seguridad informática para el Honorable Gobierno Provincial de Tungurahua mediante la Metodología Open Source Security Testing Methodology Manual
,
2015
.
[2]
Timothy Casey,et al.
Threat Agent Library Helps Identify Information Security Risks
,
2007
.
[3]
Mary S. Schaeffer,et al.
Sarbanes-Oxley Act of 2002
,
2012
.
[4]
尚弘 島影.
National Institute of Standards and Technologyにおける超伝導研究及び生活
,
2001
.
[5]
Tim Schmitz,et al.
Improving Web Application Security Threats And Countermeasures
,
2016
.
[6]
Dirk Fox,et al.
Open Web Application Security Project
,
2006,
Datenschutz und Datensicherheit - DuD.