The RIIOT approach in information security assessment 

One of the core elements in information security assessment and, perhaps, the foundational piece in any information security analysis, is the gathering of data. The data gathered informs and guides the stakeholder about the necessary steps to employ, who to ask questions and more importantly, inspires security controls that must be embedded within the organisation. Yet, most organisations tend to misplace this step, and this often leads to vulnerabilities and threats. The data gathering step is labour intensive, requires excellent project management and feeds into the creation of controls that can help companies protect their data sets.

There are many ways a company can go about it but, in this article, we focus on Douglas Landoll’s RIIOT approach.

RIIOT stands for simple steps which are Review, Interview, Inspect, Observe, and Test method of data gathering. The ideology in this approach is to break down processes and tease out the necessary benefits towards highlighting the highest possible risks within any organisation. The main benefit in this approach is that it helps organise a clearly defined data gathering effort, enables management of multiple tasks, and helps stakeholders ensure that they are covering appropriate threats and vulnerabilities. This is not to state that this is the best approach or the single approach in information security assessment. Organisations are advised to use what works for them.

For information security the review stage covers and attempts to unpack the layout, IT architecture and other elements of the security controls within an organisation. To put it in another way, it is surveying the landscape for all things available, trying to understand the land and through the analysis, coming up with ways to approach the project.

The interview stage entails interviewing key personnel to determine their ability to perform their duties and understanding how their duties feed into the policies, procedures and network maps. This interviewing stage would give the information security personnel an idea of business process owners and more so, how their role ties into the whole information security dynamic.

The next step is — inspect security control — which entails inspecting implemented security controls such as visitor controls, configuration files, smoke detectors, and incident response handling. What’s best practice is for this control to be judged against industry standards. For example, if it’s a payment card processing company, then employing Payment Card Industry controls would be the best approach for this organisation.

There is the absolute need to observe personal behaviour of users. These levels of observations provide essential insight into the effectiveness of the security controls in place in a company. There is no need to employ security controls when they can’t be verified. What usually transpires in most organisations is that there is the belief that once a control is in place then that’s it. No. The best approach is to test these controls regularly with the intention of finding new ways of improving or tightening the security.

The last phase covers testing which entails using firewalls, servers, open-door alarms, and motion sensors. Testing might also involve the use of vulnerability scanners for logical security controls and companies must develop specific methods for physical controls such as shuffle tests for motion sensors.

The RIOTT approach is usually employed in most information security methodology, and it is a proven approach which any organisation can use in their information management schema. However, a caveat must be added: check with a consultant on how best to use this in your organisation.