As you read about security assessments, what can you conclude from this week’s readings about:
- How often security assessments should be performed?
- Are there factors that would decide how often you would perform these assessments?
- Conditions that might alter that schedule?
- What security assessments are most essential?
Mohammed Syed says
The security assessment process identifies and evaluates the risk for organizational assets that can be affected by cyber attacks. The security assessment is a process on a regular basis to help an organization develops one of the best and most secure foundations for security to ensure that success to ensure business success. Today technology changed dramatically to protect organization assets, each organization is different so the decision as to what kind of risk assessment should be performed depends largely on a specific organization. How often security assessment depends on the size and complexity of the organization’s IT environment,
The security assessment should be continuous activities if think about factors to conduct assessment little bit consider Threats, Assets, Organization business can be considerable but it’s a continuous process. An enterprise security risk assessment should be conducted at least once every two years to explore the risks associated with the organization’s information systems. Security Assessment only provides the real scenario or a snapshot of the risk which can be faced in upcoming times pane. In the case of critical information systems, it is highly recommended to conduct a security risk assessment more frequently, if not continuously.
Always every organization should have a solid base of information security. The risk, threats, and vulnerabilities to the organization will change over time, organization wants to stable security infrastructure to face all upcoming threats and minimize arising vulnerability then need to conduct a continuous security assessment.
Kelly Sharadin says
Hi Mohammed,
I also agree that choosing an appropiate type of assessment is dependent upon the type of business under assessment. A small remote business operating solely on a SaaS environment has a very small attack surface and is not a likely candidate for monthly vulnerability scanning or even a physical security assessment. However, such an organization could benefit from a security assessment of the SaaS platform itself or even phishing assessments of the business’s employees.
Kelly
Mohammed Syed says
Yeah, currently SaaS technology can help increase productivity, operational efficiency, and cost-effectiveness for companies. Especially User Security and widespread connectivity.
Anthony Wong says
Overall security assessments typically performed quarterly, bi-annually, or annually depending on the scope in relation to the policies established by the organization. Security assessments can be vulnerability scans, internal and external audit, From personal experience, I have seen organization perform vulnerability scans on their network every 4-6 hours, to once a week, to once every two weeks. Some factors to consider are regulation and compliance that may mandate more frequent reviews compared to the enterprise’s policy. Some conditions that may alter the schedule if there are any zero day vulnerabilities or new technology such as patches for critical / production systems.
Mohammed Syed says
Yes, most companies do security assessments every year. However, you should ensure compliance with HIPAA FISMA PCI DSS regulations, and many of these require regular security assessments. If you do regular internal security assessments, it will help to ensure you pass the third-party audits that are necessary for compliance.
Anthony Wong says
Mohammed,
Great point. Internal audit should definitely be leveraged prior to going through the external process audit. It can help ensure the enterprise is ready to speak to the mandatory compliance requirements.
Mitchell Dulaney says
Hi Anthony – You’re correct, laws and regulations may dictate that an organization conduct security assessments more frequently than the organization’s policies require. However, if a company is in this situation, I think it’s important for the organization to update their policy to reflect the regulatory requirements they’re operating under. If someone comes into the company and refers to the security policies to conduct assessments, and the policies aren’t in line with the real legal requirements, then the company could be in trouble.
Vraj Patel says
Security assessments should be carried out on a regular basis and/or according to the needs of the company. An internal or external auditor might conduct a security assessment to evaluate the organization’s information system security program and find any shortcomings. The type of data maintained by the company, the criticality of the systems, and the compliance requirements all influence the regularity with which security assessments should be performed and the timeframe. If there are any significant modifications to the network or improvements to the systems architecture, the assessment timeframe may be impacted. As a result, the assessment may need to be performed ahead of time.
Anthony Wong says
Vraj,
I agree that the scope of a security assessment must be finalized and approved by senior management before it is conducted. From my experience, the timeframe for assessments are known and create repeatable processes to increase efficiency in the future. This is all internal processes, external processes are going to differ from time to time.
Kelly Sharadin says
Overall, the answers to the discussion prompt questions regarding security assessments are that it ultimately depends on the business. For example, a financial company may have different regulatory requirements than a construction business and therefore may be held responsible for performing more periodical security assessments. As general guidance, security assessments should be performed biannually (ideally quarterly) to help identify possible configuration drift of security controls, unrealized risks introduced by the business, and risks due to staff turnover. Again, depending on the type of business, it’s crucial to understand what kind of assessment the organization needs to perform. Security assessments may involve physical security, vulnerability assessments for serious development companies, or even red teams to provide a holistic evaluation of an enterprise’s ability to defend against an advanced adversary. To that end, security assessments should prioritize testing against the most likely threats facing an organization and schedule retesting for critical areas of failure (highly exploitable) as the most essential. A completed risk assessment will determine this prioritization of testing. Lastly, the testing frequency will also be determined by senior management’s decision to either have an internal or external team perform the assessment.
Shubham Patil says
Kelly,
I agree that security assessments should prioritize testing but in some types of testing for example in vulnerability testing, a written agreement from management is required. This protects the tester against prosecution for doing his job and ensures there are no misunderstandings by providing in writing what the tester should and should not do.
Vraj Patel says
Hey Kelly, That was a great post. I sure do agree that the requirement to perform the security assessments would be vary for each organization. As each industries have its own requirements that they have to comply with. Along with that it also would be vary on the type of testing they would be perform as each organization would have its own risks which they have to identify and ensure they have placed an effective safeguard.
Mitchell Dulaney says
Hi Kelly – I completely agree that the frequency and types of the assessments that need to be performed can vary greatly from company to company. Every company needs to evaluate the internal and external factors that impact its information security and decide accordingly how often to assess its ISMS.
Shubham Patil says
A security assessment is conducted to explore the risk associated with the organization’s information systems. The scope of the security policy should determine how often the security assessments are performed, Factors such as size, growth rate, resources, and asset portfolio affect the depth of security assessment. Between the tests, monitoring may make the organization aware of newly discovered vulnerabilities that would be found the next time the test is run but that are too high risk to allow to wait that long. And so, another, smaller cycle of mitigation decisions and actions must be taken, and then it is time to run the tests again which may alter the schedule. Carrying out a risk assessment allows an organization to view the application portfolio holistically—from an attacker’s perspective. It supports managers in making informed resource allocation, tooling, and security control implementation decisions. Thus, conducting an assessment is an integral part of an organization’s risk management process.
Mohammed Syed says
Also prepare a comprehensive examination list of all software and hardware asset reports that your company owns and check for vulnerabilities in your organization’s system and business processes and recommendations steps to lower the risk of future attacks.
Antonio Cozza says
Nice thoughtful analysis regarding the variations in planned assessments being altered by various factors, Shubham. It really exemplifies how security at almost any and every level is a continuous process that is always changing, and we constantly have to adapt in order to be successful.
Vraj Patel says
Hello Shubham, Security Assessments does assist on identifying the risk associated with the organization’s information systems. In addition, it will assist the management to identity the controls they would’ve already placed to manage certain risks as well as it would bring up to the management’s attentions, the controls they might have to implement to protect their information systems from the risks.
Mitchell Dulaney says
Hi Shubham, I agree that properly assessing an information security program should result in a holistic understanding of the vulnerabilities present in the program. Assessing the program will put internal staff in the shoes of a potential attacker and that will facilitate informed decision making regarding risk mitigation.
Mitchell Dulaney says
The frequency with which security assessments need to be performed varies from organization to organization, but typically an assessment of the overall security posture of a company should be performed at least once a year. Depending on the regulatory environment and threat profile of the organization, these assessments might need to take place more frequently. If, for an example, an organization is in a highly-regulated industry such as finance or healthcare, they may choose to undergo more frequent assessments to meet regulatory requirements or to simply be more prepared in the event that they are audited. On the other hand, if an organization manages critical public infrastructure or is a high-profile private corporation that would draw more cyber attacks than the typical company, they would likely also choose to assess more than once a year for peace of mind.
Temporary conditions that might alter an established schedule include an increased threat against the organization by politically-motivated actors or a recent acquisition of a competitor. If senior management is considering selling off part of all of the business to a third party, they may decide a security assessment must take place so that they can prove to potential buyers that the existing security posture is sound. Some of the most important assessments for a company to conduct include thorough vulnerability testing for systems identified by the company as most critical, as well as comprehensive internal and external audits to evaluate the overall security of the organization over a given time frame. The focus of these assessments and the choice of other regular assessments should be dictated by the security needs of each company and prioritize the protection of sensitive assets and critical business functions.
Kelly Sharadin says
Hi Mitchell,
Great call out on the internal politics of an organizations affecting testing schedule. As a former contractor, client employees would always get nervous that the risk assessment, testing, or audit meant that they would lose their job. As a result, I was continously caught in engagements where internal teams delayed providing access as long as possible to audit environments. The human element of security is by far the most challenging aspect in my opinion.
Kelly
Antonio Cozza says
Excellent points regarding the altered planned testing schedules, Mitchell; this seems to be a prime reason why many major organizations that can afford it are significantly increasing spending on threat intelligence – to stay on top of movements from APTs in all but especially the same sectors that a given organization is in.
Vraj Patel says
Hello Mitchell, that was great post. I do agree that the frequency to perform the security assessment should be vary from each organization to organization, but it should be recommended to perform it at least annually. As there are changes happening within the IT more frequently, the management should perform the security assessments annually just to identify the gaps within the security of their information systems to efficiently protect their organization from any risks.
Antonio Cozza says
Security assessments are performed at different intervals for different types of assessments and organizational goals, as well as for compliance. At minimum, many assessments are done one time annually, especially for smaller organizations as these functions do come with associated costs or a halt in developing and continuing other operations for smaller team sizes. A larger and mature organization with expendable resources can run different assessments quarterly. Different factors may encourage changes in assessment scheduling. For example, a zero-day affecting many organizations may encourage a prompt internal vulnerability assessment and accompanying penetration test with varying scopes to ensure protection or patches needed to be implemented. All types of security assessments are important for an organization, Vulnerability Scans should be conducted regularly, which is ultimately however the organization decides is needed, or to be in compliance. Compliance usually suggests the bare minimum, but a more mature organization may want to be proactive and perform different security assessments at a higher frequency. Another main reason to change assessment frequency may be during a time where many changes are being made or new technologies and systems introduced into a network, in which case an internal audit should be performed soon after, especially to prepare for an external/third party audit that is upcoming.
Vraj Patel says
Hello Antonio, It would definitely be help to run the vulnerability scan for the companies regularly to identify any risks. As there are changes happening within the IT environment more frequently, as an updates within the software are released and patched by the organizations often, there would be new risks that could be identified with those new updates.
Mitchell Dulaney says
Hi Antonio. It’s unfortunate that the size and profitability of a company directly impacts its ability to conduct security risk assessments. A small company is just as vulnerable to information security threats as a large company, if not more so. Smaller organizations will typically conduct assessments less frequently than large organizations, and there is pressure to correctly choose which assessments to conduct and to get the most “bang for your buck”.