Improving security through assessments Improving security through assessments

By Seppo Heikkinen


If you are worried about the state of security in your company but don’t really know where to start, then you should consider performing a security assessment to review the current state of your environment.

The first thing you need to realize is that security is not just about getting some great security product from a vendor who insists that their gadget will solve all your security problems. Security is equally about people, processes, and technology. Each of them can be the weakest link that undermines the strengths you have on other fronts. Also, don’t forget what is usually important to the organization: data. Know where your important data assets are.

Thus, you should understand what the current state of each of those areas is. You could call it conducting a security audit, but really it’s about performing a self-assessment or a current state analysis. Naturally, you could contact an external security company – say, Intopalo – to help you out, but the information still needs to be found within the organization, as you – and your employees – are the ones who (should) know your organization best. Often the problem is that the information is scattered all over the organization without anybody bothering to document it. Thus, a holistic overall picture is missing.

When you consider your people, you should ask whether they are receiving any security awareness training and how security conscious they are. Are they aware of your security policies and procedures? Are they aware of how the most common phishing attacks work and do they know not to click every possible link or attachment in the emails they receive? If you are not sure, try interviewing a few of the employees. You might want to consider people who are constantly in contact with other people, like sales and marketing.

When it comes to technology, this is where you could apply those fancy gadgets. In reality, though, they are not that fancy – even some basic technology can take you quite far. However, you should know the kind of building blocks you have. So, check how your network is implemented and what sort of filtering you apply at the boundary of your network – you do apply filtering at the edge, don’t you? It is good to check for all those long forgotten wireless access points or other access that has been set up with partners and other third parties. And don’t forget those servers that provide services outside your organization. It might be a good idea to be aware of your data storages too, and especially which ones store the most critical information.

The third area of interest relates to processes. How do you manage all those aforementioned assets? Which of your processes handle sensitive data and what is the workflow like? Moreover, how do you take change management into consideration? Do you keep those fancy gadgets of yours up-to-date? After all, unpatched systems are a major cause of data breaches.

Getting an overall picture of the above areas should be your starting point. If you feel you don’t know where to start – what sort of questions to ask and what sort of information to collect – one option is to use existing security requirement frameworks, such as KATAKRI and PCI DSS, as a source of inspiration. The next step would be to start improving the situation. We’ll return to that point in a later blog.