What is the best way to measure information security risk? It is to focus specifically on the vulnerabilities of the systems and applications, a little like measuring the health of human beings through processes like magnetic resonance imaging and blood analysis. Some people call these exercises IT security audits. Some call them penetration tests.
Performing an in-depth analysis of an environment is not just comparing policy against how things actually work — IT security audits — or only trying to break in and prove a point — penetration testing, these are better articulated as information security assessments. They are broader and have a more meaningful scope which helps in clarifying where security policies and procedures are not up to the mark.
The semantics of security testing can be deliberated upon but the ultimate goal is to find and fix the weak spots before someone misuses them. It’s the duty of security professionals to ensure that the proper measures are adopted to oversee things, in order to identify and understand the risks, resolve and accept it as a part of the information risk management lifecycle. The following are key components of effective information security assessments.
No good information security assessment program ever began or succeeded in the long term without the support of management. It’s as simple as that.
This is the most important phase of a solid information security assessment. Countless examples where systems, applications, and even entire network environments are excluded from security testing have been seen in the past.
Starting with vulnerability scans, moving through the scanner findings and ultimately perform manual analysis to see what’s vulnerable to attack in the context of business.
A PDF report from a vulnerability scanner won’t be it. A clear and concise security assessment report that contains outlines that are prioritized, common-sense findings and recommendations is what’s required.
If the problem is known it should be fixed. Often security assessment reports and the specific findings contain data that remains unacknowledged indefinitely — or at least until the finding is reported to post the security assessment
Ensuring continuous security amidst security assessments will require something as basic as the tweaking of existing systems and software, possibly, implementation of new controls and a complete overhaul of policies and processes.
These assessments are not the perfect solution to all of your security woes, even when carried out on a regular basis consistently over time. However, if this exercise is ignored, history will undoubtedly repeat itself.