As you read about security assessments, what can you conclude from this week’s readings about:
- How often security assessments should be performed?
- Are there factors that would decide how often you would perform these assessments?
- Conditions that might alter that schedule?
- What security assessments are most essential?
In the CISSP all in one guide by Shon Harris, there are different types of security assessments an organization can perform. These include an internal audit, external audit, third-party audit, vulnerability and penetration testing, log reviews, misuse case testing, and code reviews. Depending on which security assessment is chosen can alter how often they are performed. For example, any type of assessment on an internal scale would be easier to schedule since it has to work within the confines of the organization’s schedule only, but an external or third-party assessment would be dependent on another party to schedule how often an assessment would be performed. I would say that an internal audit should occur more frequently than an external audit, and a third-party audit would only occur as a need to occur basis. External audits would occur anytime a contract with a business associate would permit, so that is variable as well. Internal audits should most likely occur every few months or so to make sure everything is in order. This is why an internal audit is one of the most essential. With an internal audit, an organization could also check vulnerability and penetration testing, log reviews, misuse case testing, and code reviews, and out of that, vulnerability and penetration testing along with code reviews are also very essential in my opinion.
Hi Krish, I agree as well. Many times organizations hire external auditors but are not proactively auditing themselves. Having an internal audit department helps prepare the organization for this external audit (that may make or break a company) and also proactively protect their organizations.
I agree, Mei. additionally, these internal audits can fill in the gaps where an organization may not want a third party auditing as regularly due to sensitive systems or sensitive information.
A comprehensive security assessment should be performed as regularly as needed within each organization. However, for those handling fewer sensitive systems, it is recommended to carry out once every two years.
As per CIA triad information categorizations, it is vital to keep implement appropriate and adequate security to electronic information regardless of the category the information falls in. Security assessments are performed to maintain reasonable, continuous, and appropriate security, and the need to re-evaluate potential risks, periodically evaluate effectiveness/adequacy of implemented security measures drives the frequency of security assessments.
This schedule could be altered by various occurrences, some of which include actual security incidents, major upgrades like equipment refresh and change of personnel/roles and duties of security professionals.
The most essential assessments include IT Risk assessment, vulnerability and penetration assessments for network systems, and physical security assessments of plants from incidents like break ins and other hazards to systems and personnel.
Going off of personal experience from two different companies, we would run Security assessments every time there was a major OS update, a medium or major application release or if we did not meet either of those, we would just run a yearly security assessment on all our systems. This was for our non-high priority systems. Our High priority systems we ran had a little more hoops to go through. For these systems we would do a yearly DR test, an internal audit every Six months, yearly code reviews and log reviews when ever necessary. We schedule the DR test and bi-yearly internal audits the beginning of our fiscal years, and plan to do our other security assessments as needed.
The last organization (financial) I worked for as an analyst was locked down tight and I was basically on a “need-to-know” basis (apparently, I didn’t “need-to-know” s**t) regarding “higher-level” security information.
From what I witnessed in my year and a half there:
Vulnerability scans were performed on a quarterly basis and as needed for new servers, etc. Penetration tests were conducted annually or as needed as situations arose. Again, I was not privy to the details. I surmise that black, gray, and\or white box testing was utilized depending on desired outcome. Internal audits are conducted continuously as well as external audits quarterly. A third-party audit (financial industry accreditation) is conducted every year and its “all hands on deck”, making sure everything is copasetic. I participated in a smaller disaster recovery effort involving rolling blackouts. We went from UPS to generators to generators delivered by PECO. There were also plenty of other duties to fulfill to maintain business continuity. Every minute you are down costs a considerable amount of $$$.
I believe that all assessments are essential as a whole. There are a lot of moving parts to keep the enterprise up and running.
Hi Vincent,
Pretty good observations from your short time at that organization. It’s good to know that vulnerability scans and internal/external audits were done often (quarterly), and penetration tests and third-party audits were done yearly. I do think that yearly is still not enough, so maybe twice or thrice a year would be good for penetration tests, and third-party audits should only occur if internal or external audit attempts have failed and they need it.
Thanks, Krish!
This was my first foray into what actually goes into best practices for this industry. I also worked at another organization that was the opposite of this. Large law firm, security holes everywhere! I got to see much of what we have learned on this journey and it is exciting to see all of the moving parts form the whole. Not only did I see all of the great tech but the regulatory compliance that goes hand in hand.
Thanks for sharing your experience Vincent, sometimes working in different firms allows us to see security related operations at different angles which enhances our learning experience. Everytime i change jobs, i always find differences and similarities in security approaches.
From my past auditing experience, security assessments are performed either annually, quarterly, or bi-yearly depending on the scope of the assessment and what is defined by the policies and procedures. Some factors that can sway how often assessments are performed can be new acquisitions, industry cybersecurity events, and updates to the policy by high-level management. Conditions that may alter the schedule can be environmental, or as we recently saw, a global pandemic. As people scrambled to transition to fully remote this past quarantine, the scope of devices connected to each organization’s network may have expanded as well, calling for impromptu testing. In my opinion, vulnerability assessments are the most crucial because this is where you can experience the most loss. If a vulnerability was to go undiscovered and to be exploited, your company easily face reputational loss, financial loss, and more. Vulnerability assessments should be conducted for all organizations so they can understand their risks and build countermeasures to protect their company.
Security Assessments are more in-depth than just a simple security test and therefore may not be completed as frequently. The are usually completed using a framework such as the NIST SP800-53A by either someone internal or third party. The frequency of the assessment will depend on the specific company, risks, and regulations. If systems are high priority or if an organization is subject to regulations, security assessments may be performed more frequently. Security assessments may be performed after specific events such as a security breach or a big update in the system.
Hi Amy,
These documents are very informative but are a tough read. Very hard to stay engaged. We have to be familiar with so many for the CISSP. In the end, it will be advantageous to have the in-depth knowledge and how it applies on the job. I would bet that there will also be questions in an interview.
Soooo.. I can totally assure you that you will be VERY familiar with NIST. We had an entire project to list all the NIST SP 800 controls into our system to use them in our audits. So.. while these docs are tough, they directly relate to everything you will come across in industry – provided you go into the Audit track of it. And even as a tech professional in cyber you will be heavily involved in gathering evidence to prove that controls are being met. So there really isn’t any way around it. omg.
Absolutely! It is a lengthy read and difficult to digest when just reading through but I believe we will end up working with it so frequently that we will all become experts on the documents.
In true consultant fashion – it depends.
Everything depends on the risk appetite, the industry, the size of the company, the boards business driver’s, the maturity of the technology, the maturity of the security team, etc. For most companies, there are a multitude of risk assessment types: some do an overall risk assessment, some have segregation (vendor risk, process risk.. system risk., etc). Depending on your industry, standards and regulations can dictate cadence and requirements. Assessments generally occur at onboarding of a technology, vendor, process, etc. and annual reviews. Other triggers would be adverse events in the post-mortem assessment or a change in the business model or in the change of senior management or in an acquisition.
I don’t think there is one “most important assessment”. The value of any type of assessment depends on what the business needs are and what they find value in. I can attest that a cost/benefit analysis on the variety of vulnerabilities and mitigation options is a highly valuable type of assessment for key stakeholders. This helps prioritize by criticality, likelihood and impact while encompassing a somewhat quantifiable value that a business person can more closely relate to. The decisions are then made simple: Is the mitigation going to cost me more than accepting the risk?
1. How often security assessments should be performed?
Broadly speaking, Security assessments need to be performed regularly, according to the RMF
(Risk management framework))They involve system changes, key updates, remediation, status
reporting etc
2.Are there factors that would decide how often you would perform these assessments?
Yes, rules, regulations and compliance standards determine how often assessments are done, for instance, SOC1 & 2 mandate yearly audits, the PCI requires yearly ROC, SAQ and AOC. The FISMA requires government departments to perform audits every year before their budgets are approved.
3. Conditions that might alter that schedule?
New attacks or technology may alter a schedule, for instance; When a new patch is released to fix
to a vulnerability like the one that hit Solar winds, a company does not have to wait for patch
tuesday but rather fix the patch immediately. More so, Zero days vulns may alter schedule because
there is no patch released yet to fix the bug.
4. What security assessments are most essential?
It depends on the goals and objectives of the organization, eg. some business would see infrastructure assessments as important while others would consider operational, physical or environmental assessments as vital