As we covered in our last installment, a security assessment is a thorough study done mainly to identify the IT related threats and risks of an organization. This process involves the full cooperation of the assessed organization and is meant to increase the security posture of the assessed.
We also outlined seven methodologies that make up a security assessment: risk assessment/discovery, vulnerability assessment/scan, data analysis, security policy & documentation review, penetration test, security audit, and security review.
In this post, we will cover the beginning stages of this process. As you now know, a security assessment is not a single step or test, but a look at your organization as a whole as it pertains to your IT infrastructure. In order for this process to begin, you must first identify the risks and vulnerabilities that your organization may have. After your risks and vulnerabilities are identified, the data must be analyzed.
Now that your security assessment is in its beginning stages, you should now more clearly understand the information that your organization houses and the applications & systems that are critical to your business. You should also know who has access to this information. After the data is analyzed, organized, and prioritized, you can now begin to put together your remediation plan to improve the security of your company. Remember, security is a series of steps and not a single act or group of products.
In our next blog post on August 7th, we’ll discuss the remaining four methodologies of a security assessment.