5 TIPS FOR MAXIMIZING THE VALUE OF YOUR SECURITY ASSESSMENT



Similar documents
Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

THE TOP 4 CONTROLS.

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

PCI Compliance for Cloud Applications

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

Defending Against Data Beaches: Internal Controls for Cybersecurity

Protecting against cyber threats and security breaches

Vulnerability Management

SANS Top 20 Critical Controls for Effective Cyber Defense

Cybersecurity and internal audit. August 15, 2014

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

ISE Northeast Executive Forum and Awards

Top 20 Critical Security Controls

SECURITY. Risk & Compliance Services

Cybersecurity: What CFO s Need to Know

The Protection Mission a constant endeavor

Looking at the SANS 20 Critical Security Controls

Critical Controls for Cyber Security.

Strategies for assessing cloud security

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

Maximizing Configuration Management IT Security Benefits with Puppet

SECURITY RISK MANAGEMENT

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Click to edit Master title style

Well-Documented Controls Reduce Risk and Support Compliance Initiatives

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Defending the Database Techniques and best practices

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

Accenture Cyber Security Transformation. October 2015

Five keys to a more secure data environment

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Extreme Networks Security Analytics G2 Vulnerability Manager

Symantec Asset Management Suite 8.0

IBM Global Technology Services Preemptive security products and services

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

Cisco SAFE: A Security Reference Architecture

Cybersecurity Awareness for Executives

Why you should adopt the NIST Cybersecurity Framework

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

IBM Security QRadar Vulnerability Manager

KEY TRENDS AND DRIVERS OF SECURITY

Cybersecurity The role of Internal Audit

Cybersecurity Health Check At A Glance

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

FDA Releases Final Cybersecurity Guidance for Medical Devices

eguide: Designing a Continuous Response Architecture 5 Steps For Windows Server 2003 End of Life Success

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

Metrics that Matter Security Risk Analytics

Information Technology Risk Management

External Supplier Control Requirements

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

IT Security & Compliance. On Time. On Budget. On Demand.

Italy. EY s Global Information Security Survey 2013

Continuous Network Monitoring

Critical Security Controls

THREE KEYS TO COST-EFFECTIVE SECURITY FOR YOUR SMALL BUSINESS

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

Information Technology Security Review April 16, 2012

Nine Steps to Smart Security for Small Businesses

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

About This Document. Response to Questions. Security Sytems Assessment RFQ

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

[Insert Company Logo]

Firewall Administration and Management

Preemptive security solutions for healthcare

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Governance, Risk, and Compliance (GRC) White Paper

SCAC Annual Conference. Cybersecurity Demystified

Security Management. Keeping the IT Security Administrator Busy

IT Services Management Service Brief

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Avoiding the Top 5 Vulnerability Management Mistakes

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

How To Protect Yourself From A Hacker Attack

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

Transcription:

5 5 TIPS FOR MAXIMIZING THE VALUE OF YOUR SECURITY ASSESSMENT 1

Anatomy of a Security Assessment With data breaches making regular headlines, it s easy to understand why information security is critical. A security assessment is a key step in understanding your organization s level of readiness and maturity. It reveals security gaps and the associated risks, focusing on your overall business environment rather than specific controls or processes. Why do I need one? Security assessments are often mandated by government and industry regulations such as HIPAA, PCI, FISMA, Sarbanes-Oxley, etc. Even if these regulations don t apply, chances are you can still benefit from having an independent party identify ways to improve your security practices. What are the benefits? Regular assessments help organizations adapt to new threats, increase employee awareness, and can even uncover evidence of an existing compromise (in other words, if an outsider has accessed your network). The recommendations resulting from a security assessment can help organizations formulate a strong security strategy. Executives can use the results to help factor high-impact investments into future business plans, and customers often view an assessment as proof that you take security seriously. Read on to learn 5 best practices that will help ensure you re deriving maximum value from an assessment. TIP #1: Define the Scope. Clearly. Security assessments aren t one-size-fitsall. Market pressures, infrastructure, culture, risk tolerance all of these can vary, so make sure that the key players agree on the scope before the assessment team gets to work. 2

To help define the scope, here are some questions to ask yourself: Will this be a comprehensive, top-down, no-holds-barred assessment? Or should the team focus on specific areas, such as certain security policies and procedures? Take the time to map this out in advance. Do I need a security assessment or a penetration test? These are two different things. A security assessment is a top-down evaluation of security practices and helps you understand the strengths and weaknesses of the processes that are in place. It can uncover pervasive and systemic issues within your organization. A penetration test is a bottoms-up approach that identifies specific instances of issues and focuses on what s missing, such as how many vulnerabilities exist or what to patch. What are the required deliverables? After an assessment, organizations should receive recommendations a roadmap, a detailed evaluation of existing security controls, next steps, and a timetable based on risk and priority should all be part of the final report. Executive-facing summaries should be included as well. Are expectations aligned? Have a kick-off call to discuss logistics, introduce primary stakeholders and team members, and determine a timeline for the assessment. What should be included in the assessment itself? Should regulatory or compliance needs be considered as part of the assessment? Are you focused on a particular framework or security best practices?to maximize your investment, confirm that you re enlisting people who are well versed in responding to compromises of varying size and severity. Once you ve locked in your IR firm, establish an incident response team and identify the key players so you can start planning. 3

TIP #2: Get Your Documentation in Order. Your assessment team will ask for documentation referencing existing processes, security policies, guidelines and standards. These documents will help them understand your organization s current state, help frame discussions during the assessment, and identify gaps. Remember, the issue at hand isn t how well processes are documented, so there s no need to worry if only informal materials are available. Here are some examples of documents and collateral that you ll want to provide: Configuration Management and Change Control STANDARD CONFIGURATIONS FOR HARDWARE AND SOFTWARE ON: Mobile Devices, Laptops, Workstations, and Servers Business Continuity and Data Recovery Processes BUSINESS CONTINUITY AND DATA RECOVERY PROCESSES Practices for Inventorying Devices and Software PROCESS DOCUMENTATION Documentation on Antimalware and Other Security Tools Wireless Access Controls Network Access Polices Application Software Security Security Awareness and Training Practices Secure Coding Standards Patch Management Processes VULNERABILITY ASSESSMENT AND REMEDIATION PRACTICES TIP #3: Focus the Conversation. An efficient and effective assessment hinges on having a proper understanding of your organization s environment. The assessment team needs to conduct interviews make sure they re speaking with the right people, especially if there is an area that is lacking in documentation (see tip #2). The goal of the interviews is to understand what technologies and practices exist, what high-level controls are in place, and how processes are being followed. So take time to prepare. Interview questions can vary, as typically they are quite technical in nature and unique to your particular organization/the assessment itself. 4

TIP #4: Pick the Right People for the Job. Even if you can do a self-assessment, input from an independent third party is indispensable. But how do you know you re enlisting the best team? Here are factors to consider: Background It may seem obvious, but you don t just want individuals with a broad understanding of information security processes. You also want them to have a strong background in technical testing, and extensive experience dealing with security applications, including security information and event (SIEM)/log management, governance risk compliance (GRC), identity access management, IDS/IPS, advanced persistent threats, antivirus, vulnerability management, and business intelligence. You also want them to be familiar with security topics outside a specific vertical industry. Quality of work When it s time to deliver, you ll need a high-quality finished product. Remember, you want to walk away with detailed recommendations (see tip #5). Ask for samples of the team s prior work and client deliverables. Look for a clear roadmap of recommendations as well as a detailed description of the current environment and make sure the information can be used at both the operational and management level. If the team you re vetting suggests specific technologies or vendors in their proposal, they may simply be following a template rather than evaluating your specific needs. Size Determine where the assessment will be performed and how many members need to be on the team. Note that a larger number of people isn t always preferable. For example, a significant number of junior staffers will result in a team with six assessors but the capacity of just two or three. TIP #5: Learn, Improve. Don t just toss the results of the assessment into a drawer. Study them closely. Used properly, they can be a springboard to better security. 5

Focus on remediation, asking yourself what you need to do in order to tackle the more critical issues that emerged from the assessment. Do you need to sideline any projects? Create new ones? Make the case for certain investments? In some instances, you may even determine that you need another, more in-depth assessment. Or, if a compliance audit is imminent, you ll want to know how the gaps identified in the security assessment will have an impact. The Threat Landscape Technology is evolving, but so are threats. Attackers are growing increasingly sophisticated, adopting new techniques, and pursuing a wide range of goals be it financial gain, espionage, or notoriety. Regardless of industry and size, assume that your organization will be targeted, at some point, by an attacker. Safeguarding against threats is no easy feat, given business complexity and budget limitations. But all is not lost: understanding how systems, applications, data, storage devices, and communication mechanisms relate to each other helps you allocate resources optimally. In this way a security assessment can give you a leg up. Ultimately, you ll be able to provide executive management and leadership teams with a clear picture of what s in place, what s working, and what s not. About Rapid7 Rapid7 cybersecurity analytics software and services reduce threat exposure and detect compromise for 3,900 organizations, including 30% of the Fortune 1000. From the endpoint to cloud, we provide comprehensive real-time data collection, advanced correlation, and unique insight into attacker techniques to fix critical vulnerabilities, stop attacks, and advance security programs. Our Strategic Services Program Development helps transform your organization s security program to be relevant, actionable, and sustainable through threat-focused program assessment and development services. Recommendations and advice provide measurable cyber-security improvements over a timeframe appropriate to your organization. Learn more: http://www.rapid7.com/docs/program-development-services.pdf Rapid7.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information