Everyone in the organization has a responsibility to learn how to protect themselves and be protective stewards of the organization's information.
Lombard, Illinois (PRWEB) January 14, 2015
With announcements of new security vulnerabilities coming every day, businesses are demanding that internal IT staff increase the level of computer network security within their organizations. It is critical that organizations prevent future corporate break-ins and theft of credit card information and proprietary data. Organizations everywhere need to take a proactive approach to IT security. Understanding IT security vulnerabilities is key to mitigating IT security risks, best directing investment in technologies, and training to protect an organization. This renewed focus has businesses seeking outside services from IT Security firms, and the service offering that comes up first is typically conducting an IT Security Assessment. This has many organizations asking what should be a part of such an engagement. ETS is an IT Security Consulting firm based in the Chicago area that offers customized and comprehensive IT Security Assessment services for clients. Listening to and understanding the client’s unique security requirements is key to making an IT Security Assessment engagement successful. To do so it is critical to understand what “must-haves” an IT Security Assessment should provide an organization.
Top 9 IT Security Assessment Must-Haves
1. Objectives Gathering – A productive outcome requires an analysis of objectives. Every organization is different and faces security threats from different vectors. Information and systems have different values and vulnerabilities. Most organizations also have limited resources and unfortunately it’s not always a cost-effective proposition to try to protect the business from every possible scenario or threat. Objectives should mirror the risk and impact associated with a break-in.
2. Inventory – Security threats can come from many different sources. Mobile devices, workstations, laptops, servers, cloud-based applications, support systems, and even Programmable Logic Controllers (PLCs) used by those in a manufacturing environment are common targets. Essentially, just about anything that connects to the network is potentially vulnerable. Many organizations are also utilizing cloud-based services that also need to be considered as part of a comprehensive IT Vulnerability Assessment.
3. Security Policy Review – Many security-related vulnerabilities are related to how organizations allow access to their systems and information. Having well-thought-out and documented security policies ensure that granted security access is understood and properly limited. This may include how vendors, alliance partners, and customers access data.
4. Password Management - Password policies and management are critical to the security of systems, networks, and data. If a hacker gains credentials to a business’s IT systems, they can simply bypass most security controls. Businesses must evaluate the frequency of password changes, the complexity of passwords, and even individual users' handling of passwords. A comprehensive IT Security Assessment should call out policy and training efforts required to secure passwords.
5. Patching Methodology – With so many devices and applications in corporate environments, effective
patching is critical to security. This is one of the most important practices in the security realm and the easiest way to quickly reduce the risk of security vulnerabilities. ETS offers Ongoing and Managed Services associated with patching that help to ensure an organization’s systems and applications are up to date and protected from known security vulnerabilities.
6. Vulnerability Scanning – Assuming that patching is up to date, a comprehensive IT Security Assessment may include vulnerability scanning. If you are not patching, vulnerability scanning may not be necessary immediately. Systems should first be patched, then vulnerability scanning can determine any remaining vulnerabilities to network security.
7. Gateway / Firewall Security – The ability to detect and eliminate potential security threats often starts at the entrance of the environment. Having an appropriate unified threat management solution helps you to understand and analyze suspicious traffic in the environment. Content Filtering is another critical area that can help reduce risk by proactively scanning web traffic for known malicious content.
8. Training – All the best systems in the world can be bypassed by a single click of the mouse.Security
Awareness Training is an essential component to any comprehensive approach to organizational security. Taking up the conversation with associates about the importance of security and how to avoid targeted attacks is absolutely critical. An IT Security Assessment should always take training into consideration. IT Security is not just the IT department's responsibility. Everyone in the organization has a responsibility to learn how to protect themselves and be protective stewards of the organization's information.
9. Prioritized Action Items – Ultimately, the entire point of conducting an IT Security Assessment is to provide prioritized actionable next steps to further secure the environment. Recommendations should analyze areas of risk and highlight remediation actions. The organization needs to understand both the risk and cost of mitigation so that investment decisions can be made in the context of risk.