What is a security assessment?
We’re dedicating a four-part blog series to help answer this question. A common misconception from novice IT professionals is that a security assessment is a singular test looking at only the outside edge of your business’ infrastructure. This could not be further from the truth. The correct term for this type of test is called a pen test (or penetration test) and this only makes up one of seven methodologies needed to properly implement a security program at your place of business. This is a process that we will be discussing in further blog posts.
Security assessments should be looked at as a commitment, from an organizational point of view, to change the way your business operates to protect your critical business information. This process should involve internal staff, as well as your outsourced security consultants. Security assessments should have one goal in mind, to improve the security posture of your organization. In order for this to truly happen, your organization has to be willing to open up and directly address the findings discovered.
Not all organizations require a strict security program and each business’ direct needs should be explored with your local security experts. If your business is in a regulated industry such as healthcare, education, financial/insurance or legal, you really should add a security assessment to your upcoming IT budget to confirm that you’re complying with regulatory standards. As a reminder, always make sure that you have proper non-disclosure agreements in place before outsourcing any work in order to protect your business. Also, be sure to establish “rules of engagement” and identify the boundaries of such an assessment.
There are seven methodologies that make up the entire process of a security assessment. These seven methodologies are as follows:
Risk Assessment/ Discovery
Vulnerability Assessment/Scan
Data Analysis
Security Policy & Documentation Review
Penetration Test
Security Audit
Security Review
The process of a security assessment should take a holistic look at company policies, physical access, electronic access, device configuration, assets, and liabilities (to name just a few). Putting every aspect of your network environment up for discussion allows all parties to responsibly address the current status of your business’ security program. By identifying, acknowledging, and remediating the findings of such an assessment, you will be well on your way to protecting your business and your customers’ information.
Check back in on July 23rd to find out what the first three methodologies of a security assessment really mean!