What is a Security Assessment?
Security Assessments are a scheduled, routine procedure by which an organization records, analyzes, reviews, and remediates their security infrastructure and policies to ensure the safety and continuity of assets and operations. In the context of computer security, security assessments concern things like information assurance and awareness training, operational security, network security, backup and disaster recovery, physical security, and software patches and updates.
Who provides a Security Assessment?
Typically, an internal team, a third-party security service provider, or a managed service provider will provide these assessments on a regular schedule to ensure that data remains secure and that staff are adhering to security policies. Qualified security assessors hold specific, recognized certifications in the Information Security community from a variety of standardized certification vendors such as the International Information System Security Certification Consortium, or (ISC)2 for short. This proves both practical and actual knowledge in the field of information security and demonstrates their understanding and ability to apply best practices to their and their clients’ organizations.
What is the Process?
Security assessments involve five phases of analysis which cover the five concepts that make up the organization’s security posture.
- Review of Policies, Procedures, Standards and Guidelines of Security Compliance
- Information Awareness and Assurance Training (Employee Education)
- Network Infrastructure and Hardware Analysis (Including security appliances)
- Software updates, patches, and change management procedure (Including security software)
- Encryption and Data Protection measure analysis
This layered approach to a developing the strongest possible security system is what is known as the Information Security Model, also known as the Defense in Depth Strategy. This proven model was established by the National Institute of Standards and Technology in the late 1980s and remains an integral component of the strategy for security researchers. It has continued to evolve over the years and has helped form the standards which established the laws and regulations of compliance that we know now.