Defining the scope of a security assessment

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Management Hardening Linux as part of your client's network security policy Implementing wireless LAN security policies for mobile users Should hotfix testing be performed by the QA department or by support? Complying with the Federal Information Security Management Act (FISMA) Automated patch management for SMB customers Understanding ISO 27001 and ISO 17799 Maintaining HIPAA compliance How do I create a repeatable patch testing methodology? Creating security policies for an enterprise customer Implementing third-party patches on customer systems Business risk assessment and risk analysis Loss leaders: Security products and services to get a foot in the door Getting to know the NERC CIP standards The intersection of security and disaster recovery Remote vulnerability scanning: Process, roles and responsibilities How to perform a network security audit for customers Creating your checklist and Summary How to generate revenue from unified threat management Unified threat management: Migration and management techniques Unified threat management: An intro for solution providers Podcast with Dr. Paul Rohmeyer on choosing a remote management platform Additional resources How can service providers help with IT risk management? How to prepare for network penetration testing services

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

The term "security assessment" is widely used throughout the security industry today. It also has different meanings depending on the industry, professional services company and IT department. The best practice for defning a security assessment is establishing the differences between a security audit and a security assessment. Where an audit is performed against established requirements, such as a policy, standard, etc., an assessment is performed against best practice, expectation and/or a standard. It is more interpretative than an audit. For this reason, the chosen methodology for an assessment is critical. With audits there are some methodologies, such as the SAS 70; however, there is nothing similar for assessments (an industry standard). Therefore, the selection of an assessment methodology has a long-term impact.

In order to define the scope of a security assesssment, it is best to start with people, process and technology. There are different methods for each of these groups. For example, if it is compliance driven; is the customer getting ready for an audit? Is it investigative; does the new CISO want to know what's going on within the organization? Is it to verify policy and standards; does the customer want to ensure the security policies in place are being adhered to by the employees?

Additional questions identify the customer's major areas of concern. For example, is it financial, credit card or customer data? What is the customer most concerned about that would be included in the assessment?

The last part of defining the scope of the assessment would be the technology aspect. How large is the customer's environment (infrastructure)? Does the organization have multiple locations, and are all of these included in the assessment? Determing the numer of IP addresses, servers (including server types), desktops (including OS versions) and network devices (including firewalls and VPNs) also helps to detemine the breadth and depth of the scope. Other items that can be covered in a security assessment can include wireless networks, physical security and social engineering. Whether or not these are required by the customer should be determined and used to determine the scope of the assessment.