It is no surprise that bad actors constantly seek to take advantage of current events and changing circumstances to exploit vulnerabilities and gaps in the security of organizations across a myriad of industry verticals and sizes. However, businesses that ignore security assessments because of a lack of resources, funding, etc., increase their chances of falling victim to numerous types of cyberattacks and security breaches. The cost of a proactive security assessment is minimal compared to the damage of a successful attack. The financial cost of a successful attack can be dramatic and include breach or other litigation costs, loss of clients, reputation, intellectual property, and increased insurance premiums, among many other effects. Because of how most organizations operate today, it has become crucial to mitigate security threats and use effective preventive measures to support the security and quality of an organization’s operations. Achieving a solid security posture is possible via a security assessment.
What is a security assessment? A security assessment is often referred to in a many different ways and can vary considerably in method, rigor, and scope. However, the fundamental purpose remains the same – identifying and quantifying the organization’s information asset risks. Security assessments are periodic cornerstone maintenance exercises that evaluate an organization’s security preparedness by examining all vulnerabilities, including the administrative, technical, and physical aspects of your environment that are susceptible to critical threats. Security assessments help verify that an entity employs adequate security controls and verifies whether those security controls are functioning as expected to safeguard critical organizational assets effectively and lower the risk of future attacks. This information is then used to determine how best to mitigate those risks and efficiently protect the organization’s critical assets. One thing to note is that many tend to focus solely on hardware and software vulnerabilities. In reality, security assessments need to focus on people, processes, and technology.
Security assessments usually include the use of security testing tools but typically extend beyond automated scanning and manual penetration tests. Also included is a thorough evaluation of the threat environment, current and future risks, and the importance of the targeted environment. The primary output from a security assessment is an assessment report addressed to management that contains the assessment results in nontechnical language and concludes with specific recommendations for improving the security of the tested environment.
Assessments may be performed by an internal team or outsourced to a third party with specific expertise in the areas being assessed. Assessment and testing results are meant for internal use only. They are designed to evaluate controls with a focus on finding potential improvements. In contrast, audits are evaluations conducted to demonstrate the effectiveness of controls to a legal or regulatory agency or other interested third parties.
What Industries Require a Security Assessment, and Why Are They Necessary?
Most organizations create, store, process, and transmit some level of personally identifiable information (PII) or other confidential data as part of daily operations. As such, these organizations should conduct a security assessment. Additionally, many governing bodies or regulations require security assessments such as GDPR, HIPAA, PCIDSS, Sarbanes-Oxley, FISMA, etc.
Although there are many benefits to security assessments, some of the primary advantages allow organizations to:
- Set the baseline for ongoing cybersecurity efforts
- Identify critical assets within the organization
- Understand what data is created, stored, processed, and transmitted
- Create risk profiles and prioritization for critical assets and help prevent unnecessary spending by focusing on the top security controls for critical areas
- Evaluate asset criticality for business operations which includes overall impact on revenue, reputation, and the likelihood of an entity’s exploitation
- Develop mitigating controls for each asset based on results to reduce risk
- Indicate where additional resources or training may be needed
- Comply with legal and regulatory standards
- Maintain systems and policies
Security assessments offer a proactive approach to the overall risk management of an organization. Reactive risk management minimizes the damage of successful exploits and facilitates rapid recovery. The latter is much more costly to an organization and does not support duty of care or due diligence as required by many best practices or regulations.
Where Do I Start?
Since every organization is different, choosing the type of assessment that should be performed depends on the entity’s needs and priorities. If general prioritization is needed, then a fundamental approach to a security assessment can be taken. If a more detailed assessment is necessary, the basic approach can be a practical first step in producing an overview to guide decision-making for a more in-depth assessment. Many small businesses will enlist the services of a third party to conduct a security assessment because they do not have the necessary experience or knowledge of IT security. However, whether the assessment is conducted internally or via third-party enlistment, the foundational piece to any security assessment requires having a thorough understanding of the entity’s critical assets and understanding where sensitive data is created, processed, transmitted, and stored. Remember that it is important to include all systems, applications, and users because each of these contributes to your overall attack surface.
There are several industry best practices or frameworks organizations can leverage as the basis for a security assessment. These include the CIS Critical Security Controls, ISO/IEC 27001, or other regulatory frameworks specific to particular industries. The risks and vulnerabilities to the organization will change over time, so a security assessment can help address the dynamic nature of new risks or vulnerabilities that arise.
Final Thoughts
Security assessments should be a continuous activity and incorporated as a business-as-usual function. It is important to understand that a security assessment is not a one-time security initiative. For mission-critical information systems, it is highly recommended to perform a security assessment more frequently, if not continuously. Having a current snapshot of threats and risks to which an organization is exposed can reduce overall risk.
Biography:
Kelly O’Brien is a Senior IT Auditor with Compass IT Compliance. Kelly is an information technology & cybersecurity professional with over 20 years of experience in the field. She holds multiple industry-level certifications and belongs to several professional industry organizations. Kelly has been involved with The Honor Foundation, serving as a volunteer career coach for military Special Operations Forces looking to transition from a military career to a corporate career, specifically in Cyber Risk & Compliance.
Kelly O’Brien
Cybersecurity Practitioner
CCTA, CDPSE, CISA, CISM, CRISC, CFE, PCI-QSA, CMMC-AB (RP)