Assessing Self Assessment for Assessments
There are several reasons organizations engage in security assessment engagements. Formal compliance regulations often drive the need for security review. Maybe a client requires vendors to adhere to a specific security framework. Or an organization is trying to get a handle on the strengths and weaknesses of their current defense. Whatever the motivation, a 3rdparty unbiased assessment of security management, operation, and technical controls is an important engagement to undertake in order to make informed, risk-based decisions on improving one’s security posture.
If you are responsible for your company’s security, before you hire a company to do a security posture assessment, you should do your own. Too often I come across organizations that tell me they have had a security assessment done months ago and they are about done with the remediation. They then pull out the 500-page vulnerability scan report and associate it as the sole assessment deliverable. A vulnerability scan is important, continuous scans with associated processes for remediation is much better. Gathering and then sharing your own assessment data will focus your assessment partner and allow for real business value from the engagement. Without self-assessment, you may be paying for information you already have or can easily obtain for free. Here are some basic steps to get more value out of your third party assessment;
Ask yourself, where is my business-critical data and which systems house it?
Choose a security framework or use one forced upon you via compliance and read it, in its entirety. I recommend CIS 20 Critical Security Controls and NIST 800-171 as they are effective and not overwhelming.
Next, go down the list of technical controls and put a check next to those in which you have invested.
After the checklist, if they exist, review the policies and procedures associated with the technical controls, e.g. information security policy, asset management, access control, etc.
Share your information with the third party assessor.
You now have a sense of where you stand in relation to which controls are in place around your important data. You also know which controls are not in place. The self-assessment is critical in setting the scope and expectations of the third party security review. Passing this information on to your assessor will increase the business value of an assessment. The assessor will be able to focus on identifying how existing systems can be more effective and how attackers can bypass the controls you have in place. Accessors will also be able to know where the business-critical information resides, and can identify high risks to the organization. This will enable them to provide you with a prioritized list of actionable information to improve your security posture.
An assessment should show blind spots, educate on more effective technologies, identify holes in policy, procedures and technical controls, and provide a roadmap to better align risk management to business objectives. Gaining and sharing an understanding of your own security posture beforehand will empower your security consultant to provide you much more business value than a list of high and critical vulnerabilities on your assets.
Reading time: 70 seconds