What is the best way to measure information security risk? The best way is to focus specifically on the vulnerabilities in the systems and applications, a little like measuring the health of human beings through processes like magnetic resonance imaging, blood analysis and the like. Some people call these exercises IT security audits. Some call them penetration tests.
Performing an in-depth analysis of an environment is not just comparing policy against how things actually work — IT security audits — or only trying to break in and prove a point — penetration testing – so these are better articulated as information security assessments. Their broader and more meaningful scope helps clarify where security policies and procedures are not up to the mark.
The semantics of security testing can be deliberated upon but the ultimate goal is to find and fix the weak spots before someone misuses them. It’s the duty of security professionals to ensure that the proper measures are adopted to oversee things, in order to identify and understand the risks, resolved or otherwise accept it as part of the information risk management lifecycle. The following are key components of effective information security assessments:
Support- No good information security assessment program ever began or succeeded in the long term without the support of management. It’s as simple as that.
Scope- This is the most important phase of a solid information security assessment. Countless examples where systems, applications and even entire network environments are excluded from security testing have been seen in the past.
Testing- Starting with vulnerability scans, moving through the scanner findings and ultimately perform manual analysis to see what’s vulnerable to attack in the context of business.
Reporting- A clear and concise security assessment report that contains outlines which are prioritized, common sense findings and recommendations is what’s required.
Resolution- If the problem is known it should be fixed. Often security assessment reports and the specific findings contain data that remains unacknowledged indefinitely — or at least until the finding is reported post the security assessment.
Oversight- Ensuring continuous security amidst security assessments will require something as basic as the tweaking of existing systems and software, possibly, implementation of new controls and a complete overhaul of policies and processes.
These assessments are not the perfect solution to all of your security woes, even when carried out on a regular basis consistently over time. It is for sure that if this exercise is ignored, history will undoubtedly repeat itself.