Continuing on with our security assessment series of blogs, we come to the end of the security assessment process. Today, we’ll talk about the remaining four methodologies that make up the security assessment process: security policy & documentation review, penetration tests, security audits, and security reviews. So let’s jump right in!
What is security policy & documentation review?
One of the most important steps in the security assessment process is also one of the most boring. No one likes to write policies or review documentation, but this often overlooked step clearly defines how your organization should conduct itself. Policies can include internet & social media usage, change management, incidence response, and so on. Your employees can either make or break you. These policies establish guidelines for each employee to follow. For example, adhering to these clearly defined procedures will reduce the risk of being socially engineered or accessing malicious sites, successfully reducing administrative costs and increasing employee productivity. Security policy & documentation review will also identify the technologies needed to prevent access to these potentially hazardous sites.
What is a security audit?
Security audits are often used to determine regulatory compliance such as HIPAA and SOX. A security audit is a systematic evaluation of the security of a company’s information system by measuring how well it conforms to a set of established criteria. This is an important step in the process because this shows you how you measure up to a set of established industry recognized standards. This provides your organization with a roadmap to securing your regulated business.
What is a security review?
A security review is the process of reviewing information and products prior to public release to ensure the material will not jeopardize ongoing or future operations. This is a key step as this is where you make sure that you acknowledge your vulnerabilities but do not disclose so much information that you further place your organization at risk.
What is a penetration test?
A penetration test is the practice of testing a computer system, network, or web application to find vulnerabilities that an attacker could exploit. The main objective of penetration testing is to determine an organization’s security weaknesses. A pen test can also be used to test an organization’s security policy compliance, its employees’ security awareness, and the organization’s ability to identify & respond to security incidents. The term “white hat hacking” may also be used because the good guys are conducting the attacks.
You may now be realizing that security assessments are far more involved than you previously thought. Hard work and dedication are necessary to improve your company’s security health. A security assessment will test your vulnerabilities (both physical and digital) and the strength of your “human firewall.” As important as an anti-virus application or a new firewall are, these products can be easily bypassed by exploiting naïve employees. At the end of the day, arming your employees with the proper tools to recognize and defend your organization against cyber threats will be your greatest asset.
This series will wrap up on August 20th. Don’t miss it!