As we covered in our last installment, a security assessment is a thorough study done mainly to identify the IT related threats and risks of an organization. This process involves the full cooperation of the assessed organization and is meant to increase the security posture of the assessed.
We also outlined seven methodologies that make up a security assessment: risk assessment/discovery, vulnerability assessment/scan, data analysis, security policy & documentation review, penetration test, security audit, and security review.
In this post, we will cover the beginning stages of this process. As you now know, a security assessment is not a single step or test, but a look at your organization as a whole as it pertains to your IT infrastructure. In order for this process to begin, you must first identify the risks and vulnerabilities that your organization may have. After your risks and vulnerabilities are identified, the data must be analyzed.
What is a risk assessment/discovery?
A risk assessment is the process of identifying assets, data, and systems that are liabilities to your organization. To name a few, this could range from confidential client, critical business, medical, or financial information. This could also entail critical applications, servers, or services. In this process, you find out who has access to the information from inside and outside the organization and identify if they should even have access to this information or systems in the first place.
What is a vulnerability assessment?
A vulnerability assessment is the process of identifying, quantifying, and prioritizing the vulnerabilities in your assets, systems, or applications. Identifying these potential security holes will allow for you and your security consultants to put the proper solution in place to secure access to the systems, services, or applications needed to conduct business.
What is data analysis?
Finally, after you identify your risks and vulnerabilities, it’s time to analyze the data collected. The data you gathered not only needs to be analyzed but also organized. A data analysis helps identify your most critical issues so that you know the order in which they should be addressed. This also helps you understand your risk while remediation is taking place.
Now that your security assessment is in its beginning stages, you should now more clearly understand the information that your organization houses and the applications & systems that are critical to your business. You should also know who has access to this information. After the data is analyzed, organized, and prioritized, you can now begin to put together your remediation plan to improve the security of your company. Remember, security is a series of steps and not a single act or group of products.
In our next blog post on August 7th, we’ll discuss the remaining four methodologies of a security assessment.