Providing a quality service or application is often a good indication of an organisation that is paying attention to detail and as a result there is reason to suspect that they're also paying attention to security. A bit general perhaps but if you're looking for smells, I believe the quality of an organisation's public channels can provide some indication of the quality of that organisation's internal systems and processes.
From the inside a good indication that attention is being paid to detail is the existence of a risk program. Assessing risk in information systems is a prerequisite for both quality and security. Assessing risk is really only expensive in time and that only for initialisation, once established it only requires a relatively small effort to maintain. The tool I've used previously is a spreadsheet and the process involves a round-table discussion with all involved parties to thrash out what risks can be identified in operations/systems/applications. The great bonus of this exercise is that everyone gets an opportunity to have some input in a neutral forum and issues that have been held close can be exposed to the light.
Once an agreed list of risks has been composed, the next step is to assign values representing the impact and likelihood of each risk on a scale from 1 to 5:
| Impact | Likelihood | Gross Risk |
|---|---|---|
| 5 (catastrophic) | 5 (almost certain) | E extreme/critical |
| 4 (major) | 4 (likely) | H high risk |
| 3 (moderate) | 3 (moderate) | M moderate risk |
| 2 (minor) | 2 (unlikely) | L low risk |
| 1 (insignificant) | 1 (rare) |
Another table then provides a value for the gross risk assessment (see previous table for Gross Risk legend):
| Likelihood | |||||
|---|---|---|---|---|---|
| Impact | 5 | 4 | 3 | 2 | 1 |
| 5 | E | E | E | H | H |
| 4 | E | E | H | H | M |
| 3 | H | H | M | M | L |
| 2 | M | H | M | L | L |
| 1 | L | H | M | L | L |
The spreadsheet has a single row for each identified risk, and within that row there are columns for a description of the risk, the impact and likelihood and the calculated overall risk. Other columns include accountability and the current risk mitigation measures and management comment. It becomes fairly obvious then what issues require immediate attention and which ones can be treated as routine. It is also a great way for highlighting to management issues that might otherwise not get the attention they deserve and ensuring that if something does go wrong that management had previously been made aware of the risk, accepted the risk and agreed to the mitigation measures that had been put in place, i.e. the principle of no surprises. Plus once it is in place it only requires a regular review to continue to be effective.
This is not something I cooked up myself, it was a process established as part of a risk program and introduced by a third party organisation. I don't know where that third party sourced the process. I do know it is simple and effective.
