Your monthly “security assessment” may not be as secure as you think

When asked about security practices many organizations are quick to respond; “We do a security assessment every month [or quarter].”  But what do you mean by security assessment?  Often, this security assessment is a network or vulnerability scan performed by an automated appliance or service.  This is not a security assessment.  

Before anyone thinks we are discrediting vulnerability scans, these scans play an important and worthwhile role in an overall security strategy, but scoring well on a security scan is not an indication of your organization’s security health.  At best, a security scan indicates that specific devices are patched and configured properly.  At worst, it provides a false sense of security because the scan is testing and verifying a focused and specific aspect of your security.

Often, this security assessment is a network or vulnerability scan performed by an automated appliance or service.  This is not a security assessment.

OK, so a Security Scan is not a Security Assessment, what should I be doing to secure my organization?

Strong information security starts with an up to date and comprehensive view of your organization’s information assets and practices.  Identifying what in your organization must be defended is the first step, modeling threats and determining likely ways that the organization may be attacked is the second.  These are complex topics worthy of their own future articles, for now, let us assume that you already know the most valuable information and information systems in your organization.

Valuable information assets and the threats targeting these assets are often similar by industry.  For example, many retailers process credit card (payment card) data and this is a vital part of their business because it is how they get paid and they are bound by PCI DSS.  A likely threat may be malware targeting the retailer’s point of sale (POS) systems with the goal of skimming credit card numbers and/or transactions.

A Comprehensive Assessment

Knowing the threats that face your organization and having a clear definition of your most valuable information assets does not provide guidance on how to secure your organization.  To know this, you need a comprehensive assessment.  The assessment collects the organization’s established practices and compliance to these practices.  This information is organized into twenty (20) industry standard security controls, and summarized into a dashboard view of the organization’s information security.  With this assessment report, you will know where to best spend time and money to improve your organization’s security posture.  This process then repeats on a regular basis (quarterly, annually, etc.) allowing you to trace your investment and track your improvement in each security control as an organization.  This is your security assessment.

CIS Critical Security Controls
Critical Security Controls dashboard summarizing the results of each control section.
An example of Critical Security Control #1: “Inventory and Control of Hardware Assets”
Screenshots are based on AuditScripts CIS Critical Security Controls and are licensed under the Creative Commons 4.0 ShareAlike license.  AuditScripts does not endorse or have any affiliation with 3KeyLogic, LLC or its partners.

Vision and Wisdom

The assessment provides industry backed vision for your information security strategy.  Time and money can be spent strategically to raise scores on the critical security controls most important to your organization. Traceability provides wisdom, by comparing the current assessment to the previous assessments you can track the security posture impact of time and money spent on project implementation and vendor product.

3KeyLogic offers a free industry specific security self-assessment to help you take a guided look at your organization’s security practices.  To discuss further please give us a call at 952-885-7810 or contact us.