Are you an IT security expert, a body guard or an intending executive protection officer? Do you know how to conduct a security assessment? If no, then here’s an in-depth guide on how to conduct a security risk assessment.
People and organizations are becoming more vulnerable to crimes such as physical attacks, fraud, blackmail, cyber attacks and so on because they handle their confidential information carelessly.
For this reason, most regulatory bodies have stipulated heavy penalties for mismanagement of confidential information.
This in turn has forced organizations to fortify their systems. But no matter how strong the security measures already in place may be, there is the need for organizations to evaluate the security status of their infrastructure on a regular basis.
In this post, we will be looking at how to conduct a security assessment. But before we go into the details of that, I will give a brief introduction to security controls. If you understand how security systems are put together, you will easily understand the several requirements in a security regulation.
Even if you are a trained IT professional, taking a broader view will help you better understand the challenge of keeping a system safe from threats. Gone are those days when securing a system was as simple as encrypting data and installing additional firewalls.
Conducting Security Assessment–Where should you start from?
Most of the time, people focus their security requirements on protecting information only. However, another asset that is often overlooked and should be protected is the people, the individuals working in an organization. Most organizations have put little or no measures in place to protect their employees.
Even though this isn’t the responsibility of the IT department, arrangements must be made to strengthen human security. Now, to the issue of data, this of course is deemed more important.
When protecting data, these three important questions must be answered:
- Who/what can view the data? In other words, how confidential is the data?
- Who/what can alter the data (integrity)?
- How can authorized users or applications gain access to the data (availability)?
Security regulations focus more on one or two of these three categories. For example, regulations binding the credit card industry focus more on confidentiality, while those binding fiscal reporting focus more on who can alter the data. However, some industries have regulations that include either categories, or even all the three.
Another basic principle worth keeping in mind is that there’s no one-size-fits-all security solution that would deliver perfect results in all instances.
Conducting a Security Assessment – What should you examine?
The first step to take when conducting a security assessment is to determine what you will examine and what you don’t need to examine. Ideally, you should list your concerns and then group them into the following categories:
- External network components: systems and devices that can be accessed via the internet or from partner networks
- Internal network components: printers, servers, workstations, and other devices used by the employees within the organization.
- Applications and databases: these store sensitive data and allow employees, partners, and customers to conduct important transactions.
- Guest or remote networks: untrusted wired and wireless networks used by visitors or remote VPN users.
- Security procedures and policies: these guide IT personnel and others within an organization in utilizing and maintaining IT infrastructure.
The motive behind a security assessment is to examine the areas listed above in detail to find out any vulnerability, understand their relevance, and prioritize them in terms of risk. Having these vital pieces of information will help you develop a remediation plan.
In addition, knowing what should be included in a security assessment helps you estimate the required effort and cost. If you cannot afford the expenses all at once, you can fragment the process into bits to be completed at intervals, starting with the most important assessments.
What problems should you look for?
During a security assessment (especially one which includes evaluating technological components of an organization’s infrastructure), problems that are looked out for include the following
- System security updates
- Weak passwords
- Deficiencies in the architecture of the network
- Errors in the system configuration
So what type of test should you conduct?
There are two types of security assessment:
- Vulnerability assessment
- Penetration test
A vulnerability assessment involves analyzing the infrastructure components and network architecture to look for the problems listed above. However, a vulnerability assessment usually doesn’t entail testing the system for likely vulnerabilities that may emanate in future.
A penetration test is also known as ethical hacking. It tests a system and secures it against future vulnerabilities. The tester mimics and attacker’s actions in order to exploit these vulnerabilities and study how secure the system is against such. So, which of the two testing approaches should you choose? Well, it all hinges on the assessment expectations of your organization, the nature of the data you handle, and the security regulations binding your organization.