How to Use Security Assessments to Enhance Your Security Program
Many organizations feel that they have mature security programs and controls in place that meet or exceed the necessary baselines. Each separate industry challenges security practitioners and leaders at least yearly with new requirements based on trends and new attack vectors; this requires a mature and collaborative team that is constantly evolving. An approach that many security leaders lean on to ensure that their security programs are constantly evolving and gaining knowledge is to have your security program attested by those that did not build the program by having a security assessment.
Security assessments can come in various forms and are necessary to make sure that you not only receive validation on your program, but also (and more importantly) gain insight from industry experts. These experts often deal with other companies on how to enhance the company’s programs. That experience brings a unique perspective from the outside to the security assessment. Now, a security assessment is not a penetration test, which tends to be more invasive and done covertly. A security assessment will usually only focus on a control point or compliance requirement but does not need to be relegated to just that.
One type of assessment is a PCI GAP assessment, which allows a company that takes payments, issues credit cards or has systems that deal with credit card transactions to ensure that their program is built properly to secure card holder data. The good news is, you don’t necessarily have to pay for an assessment to be done, as the PCI council has a very good assessment checklist and documents on their site which allows you to self-assess. But what third parties that specialize in security assessments can do for you is validate that self-assessment and prepare you for an audit. They can prepare you for an audit by having QSA qualified auditor that knows what will be asked (and that you may not have on staff) perform this assessment.
There are other types of security assessments that can be done as well, like a role-based access control or RBAC assessment. This would audit how you onboard users to your organization and provide them access per their job functions. It will ensure that you can qualify and quantify the risks for administrator logins within your organization. Another type of assessment would be a network security assessment where your network and access lists as well as firewalls and detection and preventions would be audited to ensure proper segmentation, controls and restrictions are in place for your organizations network access both internally and externally. In addition to these examples, there are other types like risk assessments for key risk indicators to present to upper management/boards, password policy security assessment and just about anything you can think of.
So now that you are nervous enough about all of this… don’t be. Security assessments are voluntary and can even be internally run through your audit department as part of yearly attestation. Should your audit department find a flaw, they can inform you of what you need to do. Or, if they are concerned that there is not a solution to the findings, bring in the third party that can perform a more in-depth assessment that provides exponential value and visibility into what the gaps in the program being assessed are. In short, this is a good thing for you, your team and the organization. Identifying these gaps is a great way to ensure you have proper roadmaps and align what priorities need to be in order to schedule the work.
Now to the burning question we all have, what does an assessment entail and what does this process look like? How invasive is this? Well that depends, really. Usually an assessment kicks off with a series of interviews during the first phase that encompasses the teams that need to be involved to start. These interviews will provide the base information needed for the second phase of the assessment. Questions like what encryption standards are being used, requests for network diagrams and policies and procedures will be given to the assessor and will drive the next phase of the assessment which is asking for evidences from the first phase in the form of demonstrating the controls.
During the second phase, these interviews take a more technical form in the fact that evidences will be gathered to validate your control points and policies, as stated above. This can be screenshots, interviews where evidence is shown, and more detailed questions regarding the points, once this phase commences. This can be a more grueling process depending on the type of assessment and the information, provided if not clear. After this is completed, the assessment goes dark for the organization. This is when the assessor compiles the information, makes the observations, writes the report and lists the recommendations to ensure that any corrective actions are listed, if that last piece is part of the expertise and called out as per the engagement.
In the end, security assessments are a crucial part in vetting your security program as an organization, whether handled internally or externally. The visibility, validation and guidance from security assessments can enhance the program and find gaps in the controls for the company being assessed. The security assessment can also make recommendations that may be coming into effect that otherwise overburdened security teams would have to perform amongst all the other responsibilities they have. Combining internal audit and external assessments into your security program yearly will help to ensure that your security posture evolves, grows and transforms with the constantly evolving attack vectors that we are faced with every day.
Felipe Medina is responsible for establishing and maintaining a corporate-wide information security technology program to ensure that information assets are adequately protected both on premises and within multiple cloud environments/ technologies. This includes having an up-to- date understanding of the latest security threats, trends, and technologies, managing and supporting existing security solutions, evaluating, designing, and implementing new technical security controls and working to meet security objectives. Manage the Information Security Operations team, budgets and demand management in an agile work environment reporting directly to the CISO.