What is a security review?
A security review is a collaborative process used to identify security-related issues, determine the level of risk associated with those issues, and make informed decisions about risk mitigation or acceptance.
When is a security review needed?
A security review should be completed for all services and service changes that may affect security prior to go-live. Security reviews can also be performed for existing services if business or technical partners determine one is needed – typically in response to security concerns or new security-related requirements.
Steps for completing a security review:
1. Brainstorming: Identify known or potential security concerns/threats/vulnerabilities
- To be done by technical and business partners together, including IT Policy and Security. This can be by a Service Team if all parties are represented
- The Service Manager or convener of the review should seed the list with already-identified issues prior to the larger brainstorming session
- Note: Common issues are identified in the "seeded" version of the template (link above). Not all pre-seeded issues will apply to all situations. This template also has space to add project-specific issues in addition to the pre-seeded issues.
2. Identify existing and planned/scheduled mitigations for each issue
3. Rank likelihood (low/med/high) of the issue occurring given existing/planned mitigations, and impact if it were to occur (low/med/high)
4. Identify residual risk (low/med/high); risk = likelihood x impact
5. Identify additional possible mitigations to address residual risk, and effort/cost (low/med/high)
6. Present information to business partner or Service Sponsor for acceptance/non-acceptance of residual risk.
- Acceptance or non-acceptance should specify any conditions or acceptance as-is.
- Where additional action is required, identify action items, owners, and dates where possible.