A DIY Security Assessment

June 15, 2017

Information security assessments are a popular service.  Organizations are seeking consulting help to review their existing information security program, define gaps, and make security recommendations.  Many of these services include providing a roadmap to include projected costs and a prioritized set of recommendations.  Even organizations with a large security staff and an empowered Chief Information Security Officer, see the value in having a team of outside consultants perform this vital work.  The consultants are unencumbered by corporate pressures and politics and are free to make their recommendations without undue influence.

The exercise is normally a frenetic one that involves a period of document reviews followed by on-site workshops and interviews to ascertain the organization’s existing security baseline.  A sound assessment must evaluate all the elements of a comprehensive security program to include organizational policy, technical implementation, and risk management oversight activities.  The resulting report is often hundreds of pages long and documents the breadth of policies, processes, tools, and organizational activities that define the efficacy of the current program.  Modern assessments ensure the current and projected states are judged not against rote checklists, but on the existing and projected maturity of the security program.

Not every organization has the time or resources to make such an investment.  For you, I offer the following steps you can take to perform your own version of an organizational security self-assessment. 

First and foremost, you need to review your policies and procedures.  Start by defining the roles individuals play in your security program.  These should include decision makers and IT leaders as well as those with the word security in their title.  Your policies should establish the program and the risk management activities involved.  Make sure they are current and have a mandatory refresh cycle.

The next key review should focus on what critical and/or sensitive data you transmit, store, and process.  Ensure you know everywhere this data exists in your environment.  Then you must ensure you have a data classification policy that has effective enforcement mechanisms. 

Then look at those elements of your program that define a security-focused configuration of your applications and infrastructure, including servers and workstations.  This process must be supported by a recurring change control system that ensures security is a primary consideration for any system deployments, upgrades, or expansions.  Your processes should ensure business units sign off on their risks, and have a way to track and remediate risks as a central component of IT management.

Identity and access management are central to ensuring access to sensitive resources are properly granted and monitored.  This is especially important for privileged accounts and service accounts that are often used as backdoors for attackers and insiders looking for information outside their assigned role.  Your processes here need to be focused on ensuring appropriate personnel access based on a person’s identified role and functions, and the capability to manage this process closely.

Finally, ensure you not only have a comprehensive backup and recovery plan but that you test it regularly to verify it works as designed.  Natural disasters and environmental catastrophes are far more common than most organizations would like to admit.  Knowing your critical systems have an operational capacity to recover within an acceptable timeframe is one of the biggest challenges of all.

There are many more elements to a comprehensive security assessment, but the aforementioned activities are considered basic hygiene necessary for an organization to have a rudimentary baseline from which to build and mature their program.  You can take some time to look at an initial do-it-yourself security assessment, then seek out the professionals if you can budget for it.

About the Author

John McCumber

John McCumber is a security and risk professional, and author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, e-mail [email protected].