The first step that self-help books suggest when a person wants to change is to perform a self- assessment. By honestly looking at yourself – the good, the bad, and the ugly – you can gain the knowledge on what direction you need to travel as you attempt to maximize the program you wish to pursue. Self-knowledge is a tool to aid you in focusing on exactly what needs to be changed and ultimately to be effective in your efforts.
Improving an organization’s information security posture requires the implementation of a similar self-assessment approach. An appraisal of the existing situation allows for the development, or improvement of the enterprise information security program so that the ensuing security controls can be implemented to meet the following goals:
- Ensure fiscal responsibility, that is to only spend on what is absolutely necessarily
- Provide value to the business through the ability to support needed business innovation
- Address organizational risk
There are some rules that should be followed when beginning the process of assessing your organizations information security practices. The foremost is to not to start conversations by criticizing and telling people where they have done things wrong. Just as a counselor would do when helping you as you begin a journey of self-discovery, you need to take the time to understand and listen. Talk to your business and technical leaders. In most cases they can explain what the business case is behind a decision. It is imperative that the needs of the business be taken into consideration where possible. It is important to understand the decisions and their reasoning if you are to bring change to the organization’s information security posture. When you take this approach it will be easier to approach senior leadership should high risk issues be uncovered that require immediate attention.
Go it Alone or Solicit Help?
When conducting an assessment there are two paths to follow. The first is to bring in a third party to accomplish this activity and the second is to perform the task with an internal team.
Third Party Assessments:
- Third party assessments allow for an outside and therefore objective view into your organization’s business and technical processes.
- It is hoped that the third party assessor will we well versed in the assessment methodology thus being able to conduct the review in a timely manner, have a deep understanding of the most recent policies and security issues facing companies, and build off of their experience in offering suggestions for improvements.
- By bringing in a third party you are attempting to bring in an un-biased observer with the goal of reducing organizational infighting and discovering missed organizational deficiencies. This type of assessment can also be used to moderate differences in opinion between internal organizations, such as between IT operations and the information security group.
An internal assessments focus can vary based on the needs of the organization:
- If an organization is conducting its first assessment the primary goal of the review is to determine the scope of needed change within an organization and to ascertain the potential need to bring in a third party for a deeper follow-up assessment.
- If an organization does not require a third-party assessment and if the organization has the skills to complete an information security assessment the organization can choose to execute its own assessment activities.
My Experience – The Hybrid Approach
Based on my experience it is best to combine the concepts of external and internal assessments into a hybrid assessment approach. Below are the high level activities you would implement to achieve a hybrid information security assessment.
A. Conduct an Initial Internal Assessment
1. This assessment should address issues not just in the IT organization but also the larger organization’s business scope.
i. Interview IT and Business leaders
ii. Interview Subject Matter experts
iii. Conduct necessary technical testing and document reviews.
iv. Document findings
v. Brief leadership on both deficiencies and organizational successes
2. Based on the outcome of the initial assessment conduct a third-party assessment to dig deeper and remove bias.
B. Conduct a Third-Party Assessment
1. Work with subject matter experts, business, and IT leaders to discuss the goals of the assessment. Ensure that the team understands
i. The purpose of the assessment is to build a risk based, prioritized roadmap and plan.
ii. The purpose of this assessment is not to find fault and affix blame for issues that will be discovered.
2. Work with senior leadership to get their agreement and buy-in for the assessment. This will help to ensure that the assessment will be given priority and support.
3. Ensure that the assessment is well planned and that the required resources are available for interviews, testing, or review.
4. Execute the assessment and deliver the findings to the organization.
5. Triage and resolve the identified deficiencies.
Developing an assessment strategy does not end once you have initially assessed your organization and have executed a plan to close discovered deficiencies. As part of continuous monitoring it is recommended that you continue the hybrid approach mentioned above. In operation this approach looks a little different than when you are in the processes of initially triaging an organization.
From an internal assessment perspective, you will want to continuously monitor your environment to ensure that implemented security controls stay implemented and that new vulnerabilities are not introduced into the environment. You will want to at least annually have a third-party assessor examine your environment to ensure that you are not overlooking deficiencies and to ensure that implemented controls implement the desired security functionality.
By having a good approach to security assessments initially in your security program development and throughout your organization’s lifecycle can help to ensure that you are engaging in the necessary activities to properly safeguard and foster a resilient organization.