More than ever, companies are leveraging technology to
enable them to serve their customers better by providing timely and accurate
information at the least possible cost. But how vulnerable is your company to both accidental or malicious
unauthorised access not only from the outside but also from inside your organisation? The ensuing loss of public
trust, failure to comply with 
regulatory requirements and/or loss of critical
systems and data can result in severe financial repercussions. Understanding the security posture of your
organisation is the first step towards protecting the confidentiality,
integrity and availability of your company’s critical systems and data.
Today’s CIO or IT Manager face a daunting task when it comes
to security given the growing complexity of today’s network infrastructures and
application systems. Often there are
also conflicting demands for the security of systems and data versus making
information readily available to an ever increasing number of users. Thus it is often difficult to begin improving
your information security environment because the number of potential weak
points can be overwhelming. This is
where security assessment comes in as the recommended first concrete step
towards improving IT security.
A security assessment helps you by identifying security
concerns, prioritise issues and perhaps even lay down a road map of actionable
recommendations thus allowing the organization to focus on the tasks at hand
and handle matters in order of importance.
The assessment also gives the organization justification to plan for
further funding if there are insufficient funds available. On the other hand, the prioritised recommendations allow to
organization to use whatever resources are available to address the most
critical items first.
WHAT DO WE EXAMINE IN A SECURITY ASSESSMENT?
The areas to examine partly depend on the organisation’s
line of business or type of operations.
The focus of the organisation’s business, sensitivity of data and/or
transactions, and the regulatory compliance requirements to which it falls
under will have an impact on its security requirements. However, the issues can typically be
categorized into the following:
- External (or Public) Network Components – These
are network devices and/or systems that are accessible from outside the
organisation’s network perimeter. This
access may be either from the public Internet or via some Intranet (or private
point-to-point) connection from the organisation’s partners.
- Internal Network Components – These are network
devices and/or systems that are located within the organisation’s network
perimeter. These include internal
network devices; servers and systems; user workstations (including mobile
devices like laptops and PDAs); storage devices; and other I.T. resources such
as printers, scanners, etc. Internal
network components are also characterized as those used by the internal users
of the organization, i.e. employees.
- Guest and/or Remote Access Networks – Remote
access include company employees that may be travelling or working from a remote location, e.g. telecommuting. These users may require access to critical applications and/or sensitive data but are located outside of the organisation's network perimeter. Guest access are temporary access given to users who may be visiting the organisation (i.e. non-employees) and so are located within the office premises.
- Application and/or Database Systems - These are applications and/or database systems used by the organisation for its operations. The nature of usage of each application and/or data means that each one may require a different level of security. This also means that users (e.g. employees, partners, customers, etc.) may need different levels of access privileges.
- Security Documentation and Related Processes -- Often overlooked are the related documentation which are meant not only to provide guidance to IT and non-IT users but also allow for consistency in the execution of these processes.
- Environment - In addition to the common areas of concern, the physical environment also deserved inclusion in any assessment as this provides the underlying framework that everything runs on. This includes the data centre, supporting power systems, cabling infrastructure, etc.
It is the objective of a security assessment engagement to
examine all of these areas in some details, perhaps in varying degree of
importance depending on the nature of the organization. The goal is to identify vulnerabilities and
weak points; understand their relevance and criticality; and then prioritise
these by risk and importance.
TECHNOLOGY OR PROCESS?
It is often the case that organisations thinks of security
assessment as the process of evaluating their IT infrastructure such as their
networks, systems, applications and data storage for security vulnerabilities
and weak points. These are indeed important
components of a security assessment engagement as weaknesses in an
organisation’s information technology environment can lead to a breach or
exploit.
However, the other side of the coin is the examination of
the current state of the organisation’s security processes and procedures. How do people access and share data? How are systems managed and updated? How are applications developed and
maintained? This side of a security
assessment engagement includes the examination of current documentation like
security policies and related documentation.
It also involves interviews and discussions with key I.T. and management
personnel. The goal is to identify gaps
and inconsistencies between published documentation and actual practices.
The examination of both the technology side and the process
side goes hand-in-hand. Unless the
assessment is specifically focused on a particular area wherein a pure
technology evaluation or pure process evaluation might suffice, the
recommendation is to conduct an assessment involving these two sides of the
organisation’s information security framework.
PRIORITISING FINDINGS
Security assessment engagements often result in a number of
findings which can sometimes be overwhelming to the organisation’s IT
management. The key is to prioritise
these findings by accounting for their potential impact to the organisation’s
operations, business and/or reputation. It
is a common knee jerk reaction to prioritise technology components first, i.e.
areas that the IT deparment directly has control of. 
However, the decision on which has more
priority over the other should involve a discussion not only within the IT
department but more importantly with key people involved in the business and
management side of the organization.
This process also assists justifications for further funding (if needed)
as the risks are prioritised in terms of relevance to management.
IN-HOUSE OR EXTERNAL CONSULTANT?
One common question is whether the security assessment can
be done by someone within the organization or whether an external consultant is
needed. The former obviously offers cost
advantages. The tools of the trade to
perform vulnerability assessments are certainly readily available with both
free and commercial tools available in the market. The usefulness of any tool depends on the
expertise of the user handling the tool.
Being able to use the tool does not just mean being able to operate it
but as these tools typically result in a large amount of data, it is also
important that the user has the expertise to understand, analyse and correlate
the data.
An important factor to consider when conducting a security
assessment using internal resources is the independence of the supposed
internal assessor. Often it is not
simply a question of potential bias but an assessor coming from a particular IT
group will likely overlook areas that he/she is used to handling on a daily
basis. This is a natural thing to expect
as IT personnel will have their daily routine and components/systems that is
already second nature to them. This
brings in the idea of the external consultant.
The main advantage of bringing in an external consultant is
the fact that this consultant is not only an independent party but is also
coming in with a fresh pair of eyes. This
means that the consultant is not influenced by any current practice that may be
prevalent in the organization. The
consultant will also more likely look into each area in a more consistent and
systematic manner. Not to be 
overlooked is the occasional case wherein consultants are part of a vendor or service provider. While their expertise may not be in question, there is always the underlying potential conflict of interest as the primary objective of vendors and service providers are to sell products and services. Ideally, the consultant should be free from any particular technology or solution thus allowing him/her to focus primarily on the organisation's requirements.
FINISHING UP... WHAT NEXT?
A security assessment engagement typically culminates in a
report that details out the assessment process and methodology; list and details of
key findings and vulnerabilities; highlight of underlying issues and problems;
and outlines prioritised actionable recommendations on how to address potential
security issues. This report can then be used by the organisation in planning out short, medium and long term initiatives to address information security issues. It also allows organisation (particularly management) to make decisions on whether certain initiatives are worth the risk and/or whether the cost is justified vis-a-vis return-on-investment (ROI) estimates.
The organisation must address the security remediation initiatives in a systematic and planned out manner with proper timelines and resources. There should also be a clear owner of these initiatives, such as a project manager or even better, a key executive manager, e.g. CIO, CTO and/or IT Security Manager. Adhoc projects done without proper coordination will likely fail and result in incomplete solutions and may even open up new vulnerabilities that put the organisation and/or business at greater risk. Notetoo that depending on the chosen external consultant (if assessment is done with one), they may be in a position to guide the organisation in implementing the recommended remediation efforts.
Security assessment engagements assist the organisation by identifying where the risks are. These risks are prioritised and possible remediation efforts are identified. The bottom line is that security assessment provides a clear starting point towards working forward to a more stable and secure business environment for the organisation.
About the Author: Dr. Pierre Tagle has been with I.T. industry for over 15 years, including 10+ years in senior management and/or consulting roles. Prior to setting up Mobiliance in 2006, he has served in various roles from being the Campus Network Manager of a large university network, as CIO of a large IT Services firm, and in numerous independent consulting engagements in the industry. He has been focusing on information security and related network consulting services for the past 5 years and carries the Certified Information System Auditor (CISA) designation.
Pierre has also served with the academe at the university level for 10+ years with a rank of Assistant Professor and lecturing on topics such as network design, IT security and computer architecture and has guided Ph.D. and M.Sc. students towards getting their postgraduate degrees. He has a Ph.D. in Computer Science from La Trobe University (Australia) in addition to B.S. in Physics and Computer Engineering, and has published numerous technical papers.
