Cyber Security: Leveraging an Audit to Reduce Risks

Cyber security has garnered substantial media coverage in recent weeks, and CIOs and CISOs (chief information-security officer), along with their bosses, are probably wondering if they are doing enough to protect their company’s mission-critical data/information.

If you want to know if you are doing enough, conducting a security assessment/audit is a great place to start. But the key to assurance is on the back end—taking prescriptive steps for mitigating risks the audit uncovers and considering the use of a Managed Security Services (MSS) provider.

The flow of a security assessment/audit looks like this:

> Discovery—During this phase, the auditor performs reconnaissance to identify the client’s infrastructure and obtain information, both public and private, about the target environment.

> Target Profiling—Using the information obtained during the discovery phase, the auditor further evaluates the client’s infrastructure in order to develop a targeted testing approach.

> Examination—This is the phase where the auditor conducts detailed vulnerability scans against the prioritized target groups. Usually the auditor will use a combination of commercial, open-source, and proprietary tools. The objective of this phase is to identify potential security vulnerabilities that affect the client’s overall security posture.

> Risk Validation—The auditor reviews the vulnerabilities to determine their impact on the client’s overall security posture and performs targeted penetration testing that focuses on the high-risk vulnerabilities. Exploitation of these vulnerabilities often yields access to critical systems and sensitive information vital to the client’s operations. The objective of this phase is to provide the client with a clear understanding of the risks associated with the identified vulnerabilities.

> Evaluation—The auditor evaluates the security impact of the identified vulnerabilities as well as the effectiveness of applicable remediation procedures. The auditor should prioritize vulnerabilities based on a combination of factors, including previous experience, ease of exploitation, impact to the client’s overall security posture, and the required remediation effort. The deliverable for this phase should be a roadmap for remediation that can be effectively executed. Most importantly, you should ensure that the auditor presents the findings in a clear and detailed manner.

Some vendors add an assurance phase consisting of ongoing assessments to ensure that the remediation and mitigation steps outlined in the evaluation phase have been properly implemented.

In summary, it is helpful to think of cyber-security audits as an end-to-end process which not only raises the level of awareness regarding risks/vulnerabilities, but is also prescriptive in what proactive steps are necessary to reduce risks.

“An ounce of prevention is worth a pound of cure.”

― American Remembrancer, 1795

From Audit to Implementation:

For companies ready to take the next steps towards implementing a means for keeping their sensitive and mission-critical company information secure, one option is to seek assistance from a Managed Security Services (MSS) provider. Gartner defines MSS as “the remote monitoring or management of IT security functions delivered via shared services from remote security operations centers, not through personnel on-site.”

We recommend selecting two top-tier providers, one to manage the environment and one to conduct the assessment and review and to oversee the deliverables promised.

A key benefit to outsourcing is fast deployment of functions of that do not fit into a company’s core competency, yet must be done well. Another benefit is reduced costs. MSS are available at a fraction of the cost (hardware, software, and staffing) of adding capabilities in-house.