5 TIPS FOR MAXIMIZING THE VALUE OF YOUR SECURITY ASSESSMENT

Transcription

1 5 5 TIPS FOR MAXIMIZING THE VALUE OF YOUR SECURITY ASSESSMENT 1

2 Anatomy of a Security Assessment With data breaches making regular headlines, it s easy to understand why information security is critical. A security assessment is a key step in understanding your organization s level of readiness and maturity. It reveals security gaps and the associated risks, focusing on your overall business environment rather than specific controls or processes. Why do I need one? Security assessments are often mandated by government and industry regulations such as HIPAA, PCI, FISMA, Sarbanes-Oxley, etc. Even if these regulations don t apply, chances are you can still benefit from having an independent party identify ways to improve your security practices. What are the benefits? Regular assessments help organizations adapt to new threats, increase employee awareness, and can even uncover evidence of an existing compromise (in other words, if an outsider has accessed your network). The recommendations resulting from a security assessment can help organizations formulate a strong security strategy. Executives can use the results to help factor high-impact investments into future business plans, and customers often view an assessment as proof that you take security seriously. Read on to learn 5 best practices that will help ensure you re deriving maximum value from an assessment. TIP #1: Define the Scope. Clearly. Security assessments aren t one-size-fitsall. Market pressures, infrastructure, culture, risk tolerance all of these can vary, so make sure that the key players agree on the scope before the assessment team gets to work. 2

3 To help define the scope, here are some questions to ask yourself: Will this be a comprehensive, top-down, no-holds-barred assessment? Or should the team focus on specific areas, such as certain security policies and procedures? Take the time to map this out in advance. Do I need a security assessment or a penetration test? These are two different things. A security assessment is a top-down evaluation of security practices and helps you understand the strengths and weaknesses of the processes that are in place. It can uncover pervasive and systemic issues within your organization. A penetration test is a bottoms-up approach that identifies specific instances of issues and focuses on what s missing, such as how many vulnerabilities exist or what to patch. What are the required deliverables? After an assessment, organizations should receive recommendations a roadmap, a detailed evaluation of existing security controls, next steps, and a timetable based on risk and priority should all be part of the final report. Executive-facing summaries should be included as well. Are expectations aligned? Have a kick-off call to discuss logistics, introduce primary stakeholders and team members, and determine a timeline for the assessment. What should be included in the assessment itself? Should regulatory or compliance needs be considered as part of the assessment? Are you focused on a particular framework or security best practices?to maximize your investment, confirm that you re enlisting people who are well versed in responding to compromises of varying size and severity. Once you ve locked in your IR firm, establish an incident response team and identify the key players so you can start planning. 3

4 TIP #2: Get Your Documentation in Order. Your assessment team will ask for documentation referencing existing processes, security policies, guidelines and standards. These documents will help them understand your organization s current state, help frame discussions during the assessment, and identify gaps. Remember, the issue at hand isn t how well processes are documented, so there s no need to worry if only informal materials are available. Here are some examples of documents and collateral that you ll want to provide: Configuration Management and Change Control STANDARD CONFIGURATIONS FOR HARDWARE AND SOFTWARE ON: Mobile Devices, Laptops, Workstations, and Servers Business Continuity and Data Recovery Processes BUSINESS CONTINUITY AND DATA RECOVERY PROCESSES Practices for Inventorying Devices and Software PROCESS DOCUMENTATION Documentation on Antimalware and Other Security Tools Wireless Access Controls Network Access Polices Application Software Security Security Awareness and Training Practices Secure Coding Standards Patch Management Processes VULNERABILITY ASSESSMENT AND REMEDIATION PRACTICES TIP #3: Focus the Conversation. An efficient and effective assessment hinges on having a proper understanding of your organization s environment. The assessment team needs to conduct interviews make sure they re speaking with the right people, especially if there is an area that is lacking in documentation (see tip #2). The goal of the interviews is to understand what technologies and practices exist, what high-level controls are in place, and how processes are being followed. So take time to prepare. Interview questions can vary, as typically they are quite technical in nature and unique to your particular organization/the assessment itself. 4

5 TIP #4: Pick the Right People for the Job. Even if you can do a self-assessment, input from an independent third party is indispensable. But how do you know you re enlisting the best team? Here are factors to consider: Background It may seem obvious, but you don t just want individuals with a broad understanding of information security processes. You also want them to have a strong background in technical testing, and extensive experience dealing with security applications, including security information and event (SIEM)/log management, governance risk compliance (GRC), identity access management, IDS/IPS, advanced persistent threats, antivirus, vulnerability management, and business intelligence. You also want them to be familiar with security topics outside a specific vertical industry. Quality of work When it s time to deliver, you ll need a high-quality finished product. Remember, you want to walk away with detailed recommendations (see tip #5). Ask for samples of the team s prior work and client deliverables. Look for a clear roadmap of recommendations as well as a detailed description of the current environment and make sure the information can be used at both the operational and management level. If the team you re vetting suggests specific technologies or vendors in their proposal, they may simply be following a template rather than evaluating your specific needs. Size Determine where the assessment will be performed and how many members need to be on the team. Note that a larger number of people isn t always preferable. For example, a significant number of junior staffers will result in a team with six assessors but the capacity of just two or three. TIP #5: Learn, Improve. Don t just toss the results of the assessment into a drawer. Study them closely. Used properly, they can be a springboard to better security. 5

6 Focus on remediation, asking yourself what you need to do in order to tackle the more critical issues that emerged from the assessment. Do you need to sideline any projects? Create new ones? Make the case for certain investments? In some instances, you may even determine that you need another, more in-depth assessment. Or, if a compliance audit is imminent, you ll want to know how the gaps identified in the security assessment will have an impact. The Threat Landscape Technology is evolving, but so are threats. Attackers are growing increasingly sophisticated, adopting new techniques, and pursuing a wide range of goals be it financial gain, espionage, or notoriety. Regardless of industry and size, assume that your organization will be targeted, at some point, by an attacker. Safeguarding against threats is no easy feat, given business complexity and budget limitations. But all is not lost: understanding how systems, applications, data, storage devices, and communication mechanisms relate to each other helps you allocate resources optimally. In this way a security assessment can give you a leg up. Ultimately, you ll be able to provide executive management and leadership teams with a clear picture of what s in place, what s working, and what s not. About Rapid7 Rapid7 cybersecurity analytics software and services reduce threat exposure and detect compromise for 3,900 organizations, including 30% of the Fortune From the endpoint to cloud, we provide comprehensive real-time data collection, advanced correlation, and unique insight into attacker techniques to fix critical vulnerabilities, stop attacks, and advance security programs. Our Strategic Services Program Development helps transform your organization s security program to be relevant, actionable, and sustainable through threat-focused program assessment and development services. Recommendations and advice provide measurable cyber-security improvements over a timeframe appropriate to your organization. Learn more: Rapid7.com