As you read about security assessments, what can you conclude from this week’s readings about:
- How often security assessments should be performed?
- Are there factors that would decide how often you would perform these assessments?
- Conditions that might alter that schedule?
- What security assessments are most essential?
Ahmed A. Alkaysi says
There are many factors that go into how often assessments need to be conducted. These include the criticality of the application or process, availability of the testing resources, risk and likelihood of attacks, existing vulnerabilities, and the impact to normal business operations during the assessment. I would say the higher criticality of the application, the more frequent it will be assessed. However, there are certain number of things that can occur which throw a wrench into a scheduled assessment. This can include a system migration taking place which requires the full attention of the operations team, ultimately delaying the start of an assessment. Or a newly discovered vulnerability impacting the system that can trigger an earlier assessment. The security assessments that are most essential are the ones that target the critical applications supporting business, and the applications that are of highest risks. These assessments can include end-to-end testing of internal controls, penetration testing, and vulnerability scanning.
Elizabeth V Calise says
•How often security assessments should be performed?
Security assessments should be a continuous activity. A comprehensive assessment should be conducted at least once every two years in order to explore the risks that are associated with the organization’s systems. However, organizations may also choose to perform assessments monthly or quarterly. The length between audits will depend on how large the organization is. Also, it can depend on the scope of the assessment like if the assessment is quite in depth will be done once a year (high priority items). Or if there are changes to an application system, the assessment may be done sooner than later. Additionally, external entities can dictate when the security assessment needs to be done.
•Are there factors that would decide how often you would perform these assessments?
I mentioned this a bit above, but the criticality of a program or application can influence how often an organization would perform assessments. External entities can influence this as well. Another factor could be how much of a target you are to attackers. This can go in hand with the criticality of applications/programs.
•Conditions that might alter that schedule?
Conditions that might alter the schedule are contract deadline/milestones for programs. For example, you are building a program for the government and the government says you need to do this security assessment for the program. Well, the team building the program is not just going to stop completely to do the security assessment. Vacations could also delay the schedule, including outside forces like weather or sickness. Another example could be that if you are rolling out updates of an application, you may wait and push the assessment back a month.
•What security assessments are most essential?
Security assessment are more free form and what I mean is that each organization comes up with their own assessments and decides which ones will be more in depth based on criticality. There is no clear-cut guide on security assessment – there are different ones. The ones that are most essential are the ones that are most in depth (involving everyone) addressing the critical applications/programs.
Scott Radaszkiewicz says
I agree Elizabeth. An organization might need more frequent assessments if they are a high profile target. While yearly might be sufficient for some organizations, high profile targets like banks or federal government institutions might need to up their game and perform them on a shorter time frame.
Elizabeth V Calise says
Scott, I completely understand where you are coming from when you say certain institution may need to perform some assessments in a short time frame. However, I wonder how realistic that can be. If they have a critical program or something of the such, that assessment will probably be very much indepth and involving various parties to complete. This will probably take some time, say a couple months. Then it may have been yearly because the assessment already took six months, so you aren´t going to make the team perform the assessment again in two months time. I think it really depends what you are assessing.
Ahmed A. Alkaysi says
Hey Scott, while I agree that higher profile would probably need more frequent security assessment, I think it comes down to the criticality of the business function and supporting IT services. Even for lower profile organizations, I think they would conduct risk assessments frequently on their core services. Attackers like to target the lower profile organizations since they tend to be lax and not invest as much resources into their security defenses, which should not be the case.
Dima Dabbas says
• How often security assessments should be performed?
Security assessments should be performed on a regular basis within an organization. Depending on the organization, security assessments should be performed annually on an organization level. Organizations may choose to break the assessment into different sections and perform these assessments monthly, quarterly or bi-annually.
• Are there factors that would decide how often you would perform these assessments?
There are many factors that can determine how often to perform these security assessments. The importance and criticality of applications is one of the most important factors as critical and significant applications need to be assessed a lot more often than less critical applications.
• Conditions that might alter that schedule?
Conditions that may alter the schedules can be any updates to the system that need to be performed first before a security assessment can be made. Threats and vulnerabilities that are discovered within a system can also impact when security assessments are performed. The schedule of the security assessment needs to also be convenient for all the users that are involved in this assessment and their availability.
• What security assessments are most essential?
The most essential security assessments are the assessments that impact the critical applications that impact the organization as well as the users accessing these applications. These applications and systems need to assessed to ensure the confidentiality, integrity and availability of the data and information that is being entered and used by the users.
Brock Donnelly says
Security assessments types and their frequency should be determined by upper-level management, CIO or equivalent. They should be conducted on a regular basis depending upon the business need. Data classifications, network interruption, regulation, judicial, and attack surface are some various factors that influence the frequency of security assessments tests. Other factors can alter your schedule. Maintenance or upgrades would disrupt a regular security scan. A recent attack or 0-day flaw could prompt a non-routine scan. Deciding specific security assessments for any company would largely depend upon the business and its goals. Specifications of documents, Mechanisms of controls, Activities with integral employees and Individuals who implement are four categories for which to start, outlined by NIST 800-53A.
Elizabeth V Calise says
Brock,
You mentioned a good point that I did not think about but that was non-routine assessments (scans). The question was what can alter a schedule, but you brought up something in addition that happens frequently and those are the non-planned assessments. As you mentioned, recent attacks or 0-days flaws can prompt an unexpected assessment. So cyber security folks should not only be prepared for bumps in the schedule, but for assessment to randomly pop as needed even if it was not in the yearly plan.
Steve Pote says
I will ~try~ not to sound like a wise-guy, my initial statement will, but I have a point…I will start with security assessments should be preformed at least once. Not knowing the schedule of next assessment of even an inability to gather comprehensive information shouldn’t preclude some kind of baseline. There is an easy match-up to where frequency maps to scale of the business, a diagonal line where assessments increase with business volume.
My background is software development, and I think the parallel speaks to all the details of scheduling. I can picture a timeline with frequent milestones early in the critical path; frequent assessments on immature projects. The polar opposite exists at end of life; projects may only be reviewed if a specific newfound vulnerability suggests so. Between the two there are flurries of change and periods of recession and stability. The greater the delta, the greater the need to test your software or preform an assessment.
The real point, In the chart of the SDLC in my mind’s eye the X axis, the one where time would be mapped, has no unit of measure. A project’s functional life may be decades. It is a stretch but a scripting assignment could launch and flame out in a day, at least shadowing the SDLC of more robust siblings.
The factors that set assessment temp, the conditions that should trigger schedule changes, the essential target of assessments, it is all contingent on the delta, the changes that are taking place.
So really the maturity of the business and it’s rate of change should dictate urgency and frequency.
Jonathan Duani says
I think there are many different things to consider when it comes to how often security assessments should be performed. I think what makes the security assessments the most effective is that they are done continuously. If they are done continuously then issues may be mitigated before they become a problem. A global assessment should also be done periodically where everything is looked at and risk accessed and re mitigated. Depending on what is going on in the organization and/or the size of the organization can dictate how often they should be done. When you look at how often they should be done if a new vendor or outside company is coming you should do a risk assessment of that specific item that is being added to see how it meshes and effect the security of your environment. Also depending on the size of the company will depend on the frequency of security assessments. Depending on if something happens in the organization or if there is a new vulnerability that is found an assessment might be an emergency thing that has to be done to confirm that everything is up to spec. Finally, depending on weather, team vacations, or different patches it could alter the schedule of when scans are done to be the most effective.
Dima Dabbas says
Jonathan,
I completely agree with your response. Assessments should be performed on a regular basis and frequently to mitigate the issues from happening and the risks that may result from these issues. The size of the organization is also a very important factor that determines how often these assessments are implemented. Organizations that are in partner with third parties may want to increase the frequency in which they conduct their assessments as well as ensure their third parties are performing these assessments to ensure that everything is secure and protected.
Ahmed A. Alkaysi says
Hey Jon, I think having a global assessment where everything looked is a great idea. Questions might arise in terms of resourcing, what to look at first, etc.. I think if an organization is going to be looking at conducting risk assessments for all entities, they would need to prioritize first. They can do that by looking at what services and processes are core to the business, and conduct assessments on these first. These can be put on an annual frequency plan. Other services/processes not as critical could probably done on a 2/3 year frequency..
Duy Nguyen says
A security assessment is a calculation of risks, vulnerabilities, and impacts an organization faces and its ability to handle. Based on this assessment, an organization can better gauge their security posture and risk appetite in order to deploy the appropriated mitigation strategies. In addition, a security assessment is also a tool to measure an organization’s security posture and its effectiveness towards the organization’s security goals.
Assessments, in my opinion, should be conducted annually; this will ensure compliance, updates with new threats, and undetected breaches. Many industries are bounded by governmental regulations such as HIPAA, PCI, and FISMA, which would force various assessment/audit schedules to be in compliance. Another critical reason for periodic assessments is to keep up to date with threats and vulnerabilities.
Jonathan Duani says
Duy,
Some really good points that you brought up. I think depending on the organization that you are apart of the yearly time frame might not be the best option. I think it really does depend on the industry though. I feel like something like financial or health care would need something done more frequently on critical systems.
Dima Dabbas says
Duy,
The governmental regulations HIPAA, FISMA and PCI are essential as they protect organizations by forcing them to perform regular assessments to be in compliance with these regulations. This is good as it helps ensure that organizations are aware that security risks exist and assessments need to be performed to ensure that the confidentiality, integrity and availability of the data and systems is protected.
Oby Okereke says
• How often security assessments should be performed?
The frequency of security assessment schedule should be primarily conducted under the dictates of an organization’s security policies, the security framework adopted by the organization as well as applicable regulatory expectations ,compliance requirements and contractual obligations. Most organizations will typically conduct security assessment annually to meet these specific and regulatory security criteria.
• Are there factors that would decide how often you would perform these assessments?
Certain factors that could affect how often these assessments should be performed are thus;
An occurrence of a major change in the security posture of an information system as determined by a security impact analysis
The criticality of the system
After a system outage and recovery
Business needs changes
Conditions that might alter that schedule?
Findings from vulnerability scan reports and or results from a penetration tests could trigger an alteration in the assessment schedule in the sense that if there is an inherent concern that several attempts have been made on an ongoing basis to breach an information system. Also, a known zero day threat that could adversely affect critical operations and assets may call for a review of the assessment schedule. A change in the risk factor is another condition to consider.
What security assessments are most essential?
Vulnerability scans, Auditing and Reporting
Ahmed A. Alkaysi says
Hi Oby, I think you make a great point about the business needs changing factoring how often assessments are performed. Many business needs might require architecture/infrastructure changes, not just code. These impacts are larger and more dynamic, making it susceptible to undiscovered vulnerabilities. For example, many organizations these days are trying to be flexible and deliver IT solutions much faster. Many of these solutions require the use of microservices and APIs. As such, instead of just following a traditional assessment frequency plan, an organization should be conducting risk assessments on these dev solutions to understand how it impacts the security posture of the organization.
Rommel R. Miro says
As you read about security assessments, what can you conclude from this week’s readings about:
How often security assessments should be performed?
Security assessment frequency should not be static or uniform. Rather it should depend on the sensitivity of the system, object and data being handled. Once that is determined, it should be scheduled in different stages, some more frequent than others. Some examples are below:
Annual basis Pen Testing
Quarterly Network Scans
Weekly Virus Engine updates
Continuous/Daily Logs, Virus definitions
As needed Vulnerability Scanning (or quarterly, whichever occurs first)
Are there factors that would decide how often you would perform these assessments?
Cost, if the system is mission-critical to the operation, impact of the vulnerability.
Conditions that might alter that schedule?
Zero-day threats or any vulnerability that is newly discovered.
What security assessments are most essential?
Assessments for mission-critical systems that also hold sensitive information should take priority or should at least be checked more frequently.
Oby Okereke says
Hi Rom;
As I read through your response, one thing that jumped out to me is the fact that mission-critical systems that hold sensitive information should take priority with regards to security assessments.
An attack on a mission-critical system can cripple a business thus the importance of conducting security assessments on such systems cannot be undermined. I like that you captured that fact. Kudos!
The barrage of attack exploits targeted on mission critical systems requires a host of carefully designed security assessments in order to ensure the susceptibility to attack propagation is reduced and remediation efforts managed in a timely fashion.
Dima Dabbas says
Mel,
As you mentioned, security assessments frequency depends on the systems in terms of how critical the system is and what data the system handles. True, there needs to be a schedule to these assessments but there are situations when these assessments need to be performed regardless of what the schedule is. These situations can be after a major upgrade to the system, partnership with a third party, vendor and if a risk, threat or vulnerability was detected. It is hard to define all these situations but any major change in the system should require that a security assessment be performed on these systems.
Rommel R. Miro says
Dima,
You brought up an excellent point that a lot of people overlook, including myself – assessments post upgrade implementations or after any 3rd-party/vendor work has been performed. In some cases, the scope of work performed are so significant that an assessment has to be done as intended for an all-new product. On the Endpoint side, an example we encounter and sort of go through is when a new OS gets released and it requires a thorough re-assessment and evaluation of the AV firewall rules since the architecture has been thoroughly reworked. This was not scheduled and not required for previous OS releases; but it shows that every once in a while or so, the jump is bigger than the others.
Sheena L. Thomas says
• How often security assessments should be performed?
How often a security assessment is conducted depends on the sensitivity of the data, you company’s polices and regulatory requirements. At my employment, we conduct daily weekly and monthly security assessments based on our security policies
• Are there factors that would decide how often you would perform these assessments?
At my currently employer, we have a policy that all pre-production servers must have a vulnerability assessment completed before putting the machine on the network. During the assessment, we are looking for missing patches and unnecessary ports and protocols turned on. We also perform monthly server subnet vulnerability scans; this allows us to determine if servers on the network are missing patches. All updated images for workstations and servers undergo a security assessment.
We have another policy that requires an application to be assessed before it is allowed to be accessed. We Scan for OWASP Top 10 vulnerabilities within the application. If any application has to be upgraded, we then will perform another security assessment.
• Conditions that might alter that schedule?
Yes, if a server, workstation or application (exploited) is compromised, a security assessment should be conducted before it’s allowed back on the network or accessed by end users.
• What security assessments are most essential?
All security assessments are essential, each one looks for possible vulnerabilities that can be exploited, compromised. Maybe the frequency of the security assessments can be reviewed to determine the importance.
Jonathan Duani says
Sheena,
I definitely agree that that you need to base the assessments off the companies polices and regulatory requirements. Every industry is different and it holds different requirements for security. I also agree that all security assessments are essential. I think if you start to weight the assessments different people will not take the less essential ones as seriously and stuff might slip through the cracks.
Folake Stella Alabede says
• How often security assessments should be performed?
Ideally, Security assessments should be performed annually, but depending on some other factors, it could be performed as the need arises (more than once in a year). Every organization should have a security assessment and testing program designed and operational.
• Are there factors that would decide how often you would perform these assessments?
As often as the threat environment is changing; the criticality and sensitivity of the business, changes in business operations, the technical environments and other factors
• Conditions that might alter that schedule.
A condition I can think of is a major change in software/application/technology being used by the organization that could adversely affect the organization if exploited.
• What security assessments are most essential?
I’m not exactly sure about this question, as there might be some common security assessments that would be applicable to all types of business, but I would think that a security assessment that is termed essential to an organization might be different from another organization’s definition in a different business.
Scott Radaszkiewicz says
Folake, I like how you state “as often as the threat environment is changing.” I think that is key. You have to understand what is going on in the world. When major new threats or flaws are hitting the technology world, then you might need to review your assessment. Zero day threats are unaccounted for. So your initial assessment might have you feeling confident, but a zero day exploit can really ruin your day.
Jonathan Duani says
Really good take away Scott. I totally agree with your statement about the changing threat environment. I think that it exactly what you said about the changing environment makes sense. When 0-Day exploits come out and different things come to light it might be important to alter you assessment timeline cause a specific assessment might be more important at that specific time.
Scott Radaszkiewicz says
How often security assessments should be performed?
Security assessments should be performed on a regular basis. I think the regularity would have to be decided by each organization. Maybe yearly is sufficient for an organization, maybe bi-yearly is needed. At the very least, a yearly assessment should be conducted. If a risk assessment should also be conducted and used as part of this decision making process. If you’re dealing with highly confidential information that is critical to the life of the company, then more frequent assessments should be conducted to ensure the C,I and A of the organizational data.
Are there factors that would decide how often you would perform these assessments?
As mentioned prior, the risk involved with a data breach would impact the frequency. If a breach would cause minimal impact to the organization, a yearly assessment might be adequate. If a breach would have catastrophic results, then a more frequent assessment would be desired. For instance, a bank would want to ensure the safety of its data. Frequent assessments might be warranted.
Conditions that might alter that schedule?
I think anytime major changes are made, a new assessment should be conducted. Let’s say an organization adds a new firewall to the system, then a new assessment should be conducted, since new equipment is in place. Acquisitions or mergers of companies would also warrant a new assessment. Basically, anything that has a major impact on the people and processes within an organization, a new assessment should be conducted.
What security assessments are most essential?
I think there are two major assessments that are vital to any organization. The first is to access the security from intrusion from the outside. If an outside agent attempted to hack our systems technically, what could they access? How prepared are we? And second, assessing the strength of social engineering the staff. No amount of firewalls or firewall rules are going to stop John Smith from giving some outside agent his login and password to the system, thinking he’s dealing with tech support, but really giving away credentials to a hacker.
Jonathan Duani says
Scott,
I think you formulated a really thorough response. I do think the more critical the information is like you explained is more important to have assessments on it more frequently. I like how you talked about the frequency of an assessment could correlate based on risk. The higher the risk of the information the more frequent an assessment should be completed that way we know that the most critical information is secure.
Frederic D Rohrer says
How often security assessments should be performed?
Security assessments should measure the safety of a current system configuration, this means that whenever a change is made to this configuration, ideally, another security assessment is performed. In some organizations an initial assessment is performed and subsequent changes are left to the administrator – but the final configuration is never assessed.
Are there factors that would decide how often you would perform these assessments?
The factor varies and can probably be described as a function of risk, cost and cost of risk. Though security assessments should be carried out in regular intervals, regardless of the factor.
Conditions that might alter that schedule?
Certain conditions could cause schedule change, such as emergency changes or upcoming installations or configuration modifications. If a server is going to be upgraded tomorrow there is not much sense in doing a security assessment on it today.
What security assessments are most essential?
Black-Box assessments are the most essentials because they provide the “thief-view”. As such they are cost effective and do not have wide scope definitions.
Oby Okereke says
Hi Fredric:
I like that you draw upon emergency changes or an upcoming installation or configuration modification as some of the conditions that might alter a security assessment schedule.
Indeed of what use is it to expend so much energy and scarce resources in conducting a security assessment on a server that will be undergoing a change in the near future.
Insomuch as this might appear futile, it should still call for some level of careful consideration that will require an adjustment in the big scheme of things in order to maintain the same level of security posture expected of the any environment. I say this because I have witnessed situations, where Application and Server Administrators shirk their duties with regard to findings from a vulnerability assessment scan.
Statements such as” we’re in the process of migrating to a new server” or we are in the process of of implementing an upgrade and and such no further effort should be expended carrying out security assessments, Typically, the system owner should be the one making the ultimate decision, accepting any risks from such decisions.