Corporate IT is under increasing threat – many of which are increasingly sophisticated in nature. These threats can be perpetrated by state actors, cybercriminals, or disgruntled employees, to name a few. But very few of these “bad actors” are caught and prosecuted for these crimes (according to Cyber Security Intelligence, only approximately 4% to 5% of cybercriminals). Cyberattacks can also be costly: Ransomware is expected to cost $6 trillion per year in 2021 according to Cybersecurity Ventures.
The bottom line is: “We need to stop acting like these attacks are special or rare. If you aren’t the target, you may still be targeted. No one, no one gets off free,” said Sue Gordon, the former Principal Deputy Director of National Intelligence.
This begs the question: How secure is your network? What is your current IT security posture? The answers are crucial to the success of an organization, its business reputation, the safety of its customers and partners, and its financial stability. And one important way to get these answers is through an IT security assessment.
IT security assessment defined
An IT security assessment is a process designed to identify vulnerabilities in critical infrastructure, configurations, controls, training, and documentation that will contribute to increasing the likelihood of long-term effects of a cyberattack. It is the first step in a journey that is followed by an analysis of the assessment findings, remediation, and “ending” with continually improving security management. An IT security assessment may also be driven by a requirement to meet a particular security framework, standard, or regulation, such as HIPAA, NIST CSF, CMMC, CIS-20, and SOC 2. Often this is prompted by a security questionnaire from a partner, customer, or government agency.
Types of assessments
Assessments come in a variety of forms and using multiple methodologies. Common components of an IT security assessment include:
Run within the internal network environment and externally via the internet, these scans identify known vulnerabilities within the local, remote, cloud, containerized, and virtual infrastructure.
The objective of penetration testing is to determine the modes of exploitation available given the vulnerabilities within you IT environment. It is the active form of assessment and serves to actively test the effectiveness of the controls you have in place. Testers act like real hackers to test the application or system environment. As this is an active process, it can result in data loss, data corruption, and downtime. Be sure to clarify the scope and risks of the pen tests with your provider.
Assessments mapped to IT security standards
An IT security standard provides a framework within which controls and the effectiveness of said controls are established. The assessment identifies gaps between the IT security standard to be implemented, and the current security posture of the company. Popular standards and regulations include NIST CSF, ISO 27001, and more. Additionally, managed services providers (MSPs) have their own set of certifications aimed at providing clients and partners with greater transparency and assurance when it comes to IT and cybersecurity best practices. The MSPAlliance® MSP Verify (MSPV), along with its Cyber Verify certification, is the most trusted independently audited program for managed service and IT security providers.
Here we are using the term audit as opposed to assessment. The audit is performed by a third-party auditor for the purposes of certification or attestation report. The objective is to gain recognized validation of your adherence to a known IT security standard or regulation.
So, what tangible deliverables should you expect to receive from your assessment? These might include:
This report details the vulnerabilities identified during the vulnerability scans. It should list the vulnerabilities and the associated Common Vulnerabilities and Exposures (CVE), a list of publicly disclosed computer security flaws. The vulnerabilities should be prioritized based on expected impact and other factors.
Gap and recommendations report
This report will provide details on how your environment differs from a chosen standard, or the state of IT platforms in your environment (development, messaging, Directory Services, logging, backup, security training, etc.). Recommendations should cover all vulnerability areas and be prioritized based on the impact of the findings.
Pen test report
Penetration tests findings are some of the most revealing of available assessment methods. First, assess your current security posture and remediate. The Pen Test Report should include:
- Methods used
- Success rates
- Vulnerable systems
- Prioritized remediation recommendations
The Remediation Roadmap supports a proactive approach to vulnerability management by task assignment and progress metrics that help an organization address the vulnerabilities found in an IT security assessment. Given that cyber threats are continuous and increasingly damaging, the remediation plan must be prioritized with due dates to ensure that the highest and most critical risks are addressed in a timely manner. They can also go beyond the IT department when it comes to compliance.
Audit report and certificate
The report from the certifier or auditor rates your implementation of IT security controls against the audit standard. The report rates your performance in a prescribed security category – for example, in SOC 2 those standards are: security, availability, processing integrity, confidentiality, and privacy. In other cases, such as ISO27001, your company receives a certificate and associated annexes that can be shared with partners and customers at your discretion. An IT security assessment can be used to help your business learn where its vulnerabilities are so that steps can be taken to address potential issues before they have a chance of becoming real threats. Are you ready to take the next step? Contact ZAG to schedule your IT security assessment and take the future of your business into your own hands.