Topics:   Cybersecurity,Regulations & Legislation,Risk Management,Strategy,Technology,The Digital Director

Topics:   Cybersecurity,Regulations & Legislation,Risk Management,Strategy,Technology,The Digital Director

March 17, 2015

What to Expect from a Security Assessment

March 17, 2015

As information security becomes increasingly visible and accepted as a core business function, senior executives need to have a thorough understanding of the organization’s overall security posture as well as a way to identify areas needing improvement.

A security assessment increases awareness and understanding of security issues, but more importantly, it helps key decision-makers make smart security investments by highlighting high-importance and high-payoff tasks to work on. Security assessments are not just hunting expeditions to find security weaknesses. A security assessment is a top-down analysis of existing security controls and processes. It provides an understanding of the status of each control, highlighting both the positive levels of maturity and areas of improvement based on the organization’s specific need as well as recognized best practices.

For some organizations, security assessments aren’t optional as they may be subject to one of the many governmental regulations—HIPAA, PCI, FISMA, Sarbanes-Oxley, Gramm-Leach Bliley, to name a few—which require deploying a set of security controls. Even for organizations who don’t have that regulatory stick, independent assessments help guide the organizations towards improving and strengthening internal security practices.

Getting Started

An assessment starts before the team arrives on-site. It should begin with a kick-off call to handle logistics, introduce the primary point of contact and members of the team, and to discuss the scope of the assessment. Agreeing on the scope and timeline of the assessment beforehand makes sure everyone’s expectations are met by the end of the process. Depending on the size of the organization under review, an assessment should take a few weeks to a few months.

Collect Documents

In this phase, the organization pulls together all the documentation referencing their processes, security policies, guidelines, and standards. These documents—which include network architecture diagrams, process diagrams, and workflows for specialized teams such as incident response—should be delivered to the assessment team beforehand so that the team has the opportunity to review them and identify any gaps that need to be addressed in the form of additional documentation or formal interviews. These documents help the assessor to understand the organization before scheduling the actual visit.

Having this information available to study ahead of time saves the assessment team time because the on-site time is spent on face-to-face interviews. It’s not a problem if the documents are rough and only informal materials are available, as the assessment is not evaluating how well the processes are documented.

Focus the Conversation

Having the information in advance means the team can identify the right people to set up meetings with and target the discussions specific to the organization’s environment. For example, if there are 20 areas under review, but only five of them have in-depth technical documents, the assessment team can then set up meetings to review the controls in place for those five areas, and focus the bulk of the time in conversations over the remaining 15 areas. There is no need to waste time digging into what’s already known and well-understood.

Understanding the Roadmap

When undergoing a security assessment, the organization typically is looking at the controls from a top-down perspective. The assessor is not there to perform a technical hands-on test or find out which vulnerabilities need to be patched.

After the assessment is complete, the organization will be able to identify areas needing immediate attention and will have the direction for evolving its security strategy over the next three to five years.

Security Assessment in a Nutshell

Information security is a dynamic field with rapidly changing technology and evolving threats. The number of threats is growing every day and attackers rapidly adopt new techniques. Attackers have different goals, whether they are after financial gain, espionage, blackmail, or just plain publicity. Nearly every organization—independent of size—is a target, especially as attackers piggy-back on smaller companies to reach larger ones.

Board members and executives need to become more involved in ensuring their organizations are making the right investments in people, processes, and technology to provide adequate security for the risks and threats they face. A security assessment is one of the best ways to ensure you are on the right path and give you the visibility you need.

How to Select the Right Team for Your Security Assessment

A security assessment is a critical part of understanding the organization’s security maturity and the security strategy, so selecting a trusted assessor is critical. Here are some of the things to keep in mind when interviewing a security assessment team.

  1. Look for a team comprised of individuals with a broader understanding of information security processes. These are people that understand security operations, enterprise networking, and architecture. Look for experience dealing with security applications, including security information and event (SIEM)/log management, governance risk compliance (GRC), identity access management, IDS/IPS, advanced persistent threats, antivirus, vulnerability management, and business intelligence.
  2. It’s important the assessor understands the industry, but make sure the assessor is also familiar with security topics outside the industry vertical. Not specializing in one specific sector will ensure the broadest level of knowledge.
  3. Ask to see samples of deliverables. Ensure the assessment will end with deliverables outlining a roadmap and a detailed picture of what the security controls look like. The report needs to have information that will be used at both operational and management levels. It should include action items that define relevant steps on what to do next. The final deliverable must have specific recommendations for addressing gaps or issues identified, a list of steps that need to be taken, and a timetable of when they need to be performed. Also, ask what kind of executive-facing deliverables will be available, with detailed executive summaries about the issues identified and strategic recommendations on closing the gaps.
  4. Will the team perform the assessment on-site, or remotely? There is a value to performing an assessment on-site, but there may be circumstances preventing the team from being able to conduct face-to-face conversations. Ask what the remote assessment will entail. On the other hand, be wary if the assessor insists on a large on-site team for an extended period of time. Many firms use assessments as training ground for junior staff members. This will result in a team of, for example, six assessors with an effective throughput of two or three. At the same time, you’ll be paying a premium for senior members of their team to train junior staff on your dime.

Rapid7 cybersecurity analytics software and services reduce threat exposure and detect compromise for 3,500 organizations, including 30 percent of the Fortune 1000. From the endpoint to cloud, they provide comprehensive real-time data collection, advanced correlation, and unique insight into attacker techniques to fix critical vulnerabilities, stop attacks, and advance security programs. For more information, call 866-7-Rapid7 or visit their website.