I know…I get the calls myself from information security vendors of all stripes and flavors, but the ongoing incessant calls asking me to pay for an Assessment of some type or a “Health Check” is annoying. Much as I believe that the push is overdone, I also believe that there is a need for Security Assessments, but you have to understand what your requirements are.
Security Assessments are an excellent tool for small and mid-market businesses, generally because companies of this size do not have the staff to address it themselves. For them, they can leverage a solid Security Assessment to define the security program for the firm.
NIST based. Make sure that your assessment is based on a legitimate and acknowledged third party authority. I use NIST when providing these services simply because it is very well-known in the United States and is updated more frequently than other standards such as ISO. NIST is a controls framework that addresses the most known risks to information and systems. This standard provides an auditable set of control objectives to base your information security program on going forward. It also provides a mechanism for management to track the status and quality of the information security program against expectations.
Remember to consider risks that are unique to your type of business that may not have been incorporated into NIST yet. I do not see this omission often, but it can happen and should become documented as part of the Security Assessment.
Also, keep in mind that NIST is exceptionally large, and is meant to be generic and applied more universally. Not all of it will apply to your business or in all of your segments. Part of the assessment is to have a customized set of NIST derived control objectives that are specific to YOUR business.
Your business, not the news. Focus on what applies to your business; do not get sidetracked by what is in the news. I have been called in after specific breaches and malware attacks to address gaps in the security program. What I find is that the client has a lot more gaps than expected. In many cases, I am very concerned that there were past breaches that went undetected. If your firm operates information security in a reactionary manner and spends money on tools rather than skills and processes, you will have gaps. You will never be secure.
Security relies on breadth and depth. Nothing is perfect and tools fail, or need patching, or were not tuned appropriately and so on. That is why we want multiple layers of protection in a security program. A substantial proportion of those should be preventative rather than detective (after the fact).
What should you get? Whomever you choose should have a defined approach as there is an element of style to the process. My style and approach to Security Assessments are more interactive and it is important for the Security Assessment to:
• Leverage a questionnaire and current documentation available. Like it or not, information security is a documentation intensive discipline. The documentation you have on your systems applications and partners is an integral part of the review. This documentation allows the assessor to determine other “soft” aspects such as staff security awareness and focus the assessment on areas at risk for your business. It also reduces the cost.
• Speak to the business leaders. Not just IT or senior management. Assessors cannot rely upon questionnaires and current documentation. Assessing the adequacy of or building a Security Program requires understanding how the business and IT operate and what the key issues and concerns that the company has related to information security. The security team will never be able to partner with the business if their concerns are not heard and considered. This meeting takes place in-person to achieve the best results.
• IT systems and operations are a critical component, and there can be some friction from them at having an outsider review and provide an opinion on how they are doing their job. Again, security has to partner with IT while also holding them accountable to specific requirements to protect the business. Those concerns have to be heard, and security cannot be permitted to interfere with the business goals.
• Options. There are multiple ways to address the requirements, which are an outcome of any professional Security Assessment. The final report should outline the options discussed and why.
Thank you for reading!