A security assessment is conducted to determine the degree to which information system security controls are correctly implemented, whether they are operating as intended, and whether they are producing the desired level of security. A vulnerability assessment is conducted to determine the weaknesses inherent in the information systems that could be exploited leading to information system breach. Without security and vulnerability assessments, the potential exists that information systems may not be as secure as intended or desired.
A security assessment policy should apply to all information systems and information system components of a given company. Specifically, it includes:
- Mainframes, servers and other devices that provide centralized computing capabilities.
- SAN, NAS and other devices that provide centralized storage capabilities.
- Desktops, laptops and other devices that provide distributed computing capabilities.
- Routers, switches and other devices that provide network capabilities.
- Firewalls, IDP sensors and other devices that provide dedicated security capabilities.
Security and vulnerability assessments should be performed against all information systems on a pre-determined, regularly scheduled basis. While both security and vulnerability assessments may be performed by internal staff on an on-going basis, it is recommended that third parties should be retained periodically to ensure appropriate levels of coverage and oversight.
Info-Tech Research Group has developed the following outline for conducting a thorough assessment. You can also download their Security Assessment Policy at no cost from the IT Business Edge Knowledge Network.
Security and Vulnerability Assessment
Click through for a 10-step security and vulnerability assessment plan outlined by Info-Tech Research Group.
Determine the scope of assessments to be performed.
Establish a prioritized assessment schedule.
Identify and gather required skills and tools.
Create an assessment implementation plan.
Review system documentation, including system configuration documents and system log files, to determine expected security configuration and capabilities of the system.
Identify and analyze the target system through investigative techniques that include network foot-printing, port and service scanning, and vulnerability assessment.
Validate vulnerabilities that may be discovered through techniques that include penetration testing, password cracking and social engineering.
Review validated assessment findings to determine the risk and cost impact on the organization.
Create a final report outlining the findings of the assessment.
Violations of any of the constraints of the established policies or procedures should be considered a security breach and, depending on the nature of the violation, various sanctions need to be taken. Such action may include a written reprimand for a minor breach, suspension for multiple minor breaches or a major breach, or termination for multiple major breaches.