A thorough security assessment identifies the areas of vulnerability in all the layers of an organization’s digital, physical and operational processes.
The organizations that do their security assessment regularly are able to identify risks when they are still at the crisis prevention stage. The security assessment is not a one time event, it is a continuing cycle that follows technology changes and changes in regulations.
1. Identify Critical Assets And Possible Points Of Entry
First step to protecting the assets of an organization is to know what needs to be protected.
This includes critical data, critical infrastructure and critical operational systems that need to be identified clearly.
Critical assets also include possible entry points to the assets.
These may include network connections or employee/user login information.
By identifying these potential entry points an organization will have an idea where its greatest exposure lies.
By knowing the identity of your critical assets you will be better equipped to develop protection strategies.
2. Assess Technical Vulnerabilities
Security assessment tools will look for potential technical vulnerabilities in an organization’s IT system.
Some examples of potential vulnerabilities include:
Outdated software that contains known security flaws.
Misconfigured networks (this includes routers, firewalls, etc.) that could provide unauthorized access to an organization’s IT systems.
Weak encryption used by an organization to protect sensitive data (e.g., credit card numbers).
Potential technical vulnerabilities will be found through technical audits.
Audits can help identify vulnerabilities that would be difficult to find without specialized knowledge.
Regular vulnerability scanning will continue to improve the security posture of an organization.
3. Analyze Human Risk/Procedures
While technology plays a significant role in the security of an organization, it is also important to consider the potential for human error.
There are many ways an employee can inadvertently compromise an organization’s security.
For example, an employee may:
Use weak passwords that can be easily guessed.
Click on links from emails that appear to be legitimate, but actually contain malware.
Accidentally delete data that is needed for business operations.
Employee education/training, access control and procedures related to how employees perform their jobs must be reviewed regularly.
Clear procedures in place will help to reduce confusion during times of crisis.
In addition to providing technical protection for an organization’s assets, having well-trained employees will also help to prevent human-related errors.
4. Document The Results Of The Assessment And Develop Remedial Plans To Address Identified Vulnerabilities.
It is essential to document the findings of the security assessment so that identified vulnerabilities can be addressed in a timely manner.
It is recommended that identified vulnerabilities be given priority based on severity and complexity.
After developing remedial plans for identified vulnerabilities, follow up assessments should be performed to ensure that the corrective actions were effective and that all previously identified vulnerabilities have been closed.
This cycle of assessment and implementation of corrective action is a key element to creating a secure organization.
Conclusion
To create a comprehensive security program, organizations need to assess the potential vulnerabilities within their assets (physical, technical and procedural), evaluate technical vulnerabilities, analyze human risk/procedures, and implement corrective action to address identified vulnerabilities. Continuing to evaluate potential vulnerabilities will allow organizations to stay ahead of the ever-changing threat landscape and ensure that they maintain a high level of resilience. By using a structured approach to conducting security assessments, organizations can transform their awareness of potential risks into tangible security capabilities.
