This month's topic is on regulatory compliance security assessments and what you should look for in them.
A security assessment is a systematic, measurable technical assessment of how a security process and program is employed at a specific site. Unlike a penetration test (black box), information security professionals work with the full knowledge of the organization (crystal box) and at times with considerable inside information in order to understand the resources to be audited. An assessment is a more comprehensive examination of an information system and network. It involves not just the testing of the vulnerabilities, but other aspects including the overall design of the information system or process, and perhaps the system's resistance to social engineering tactics.
The assessment should include security checklists and questionnaires that cover networks/LANs, firewalls, Internet access, data access, virus management, etc. A quality assessment should also review existing security polices, procedures and programs and identify gaps as they relate to standards and guidelines provided by the regulatory body.
In this phase, the assessor should review the existing network documentation, policies and procedures, previous security assessment reports and interview technical and management staff. This provides an initial picture of how your systems are implemented and secured. This will also will result in a very specific detailed assessment plan.
The assessor will review and critique your systems, policies and procedures. You should expect to begin this phase with a security briefing with management to review with them various aspects of technology security, establish a framework for understanding of the issues and trade-offs associated with technology security and to receive management's overall stance on technology security within the company. This briefing defines the foundation for the type and level of recommendations which will be included in the final report. This portion of the assessment involves a very "hands-on" information-gathering methodology. Consequently, the assessor will need access to your servers, workstations, network and staff.
Review and analyze all the collected data and reports, including the checklists, vulnerability reports, interview notes, etc. They should then be compared to your existing policies to attain the desired level of security.
The final phase should include written recommendations and analysis based on the assessment. This report should include the businesses current state of information technology security. It should also include the pre-existing vulnerabilities for your network and the recommendations for their mitigation. Network and system topologies as well as logs, reports and paperwork generated by the assessment should also be included in the assessment.
There you have it. An Information Technology security assessment should constitute an important part of any organizations security posture. What you must keep in mind when an assessment is completed is that the policy and procedures will provide the focus for risk assessment and threat management within the institution as a whole. This will then drive what controls are required to manage these risks in compliance with the level of diligence that is required by the institution.
To respond to this or previous newsletters or to inquire about an on-site
presentation, please feel free to call us at 508-995-4933 or email us at
Founder & Principal Consultant
We Manage Risk, So You Can Manage Your Business
Got something to add? Send me email.
More Articles by Michael Desrosiers © 2009-11-07 Michael Desrosiers
Anyone even peripherally involved with computers agrees that object-oriented programming (OOP) is the wave of the future. Maybe one in 50 of them has actually tried to use OOP – which has a lot to do with its popularity (Steve Steinberg)