IT Security Assessment Must-Haves

January 12, 2015


IT Security is a hot topic, with literally daily announcements of new security vulnerabilities. Businesses everywhere are demanding that their internal IT group prevent future corporate break-ins, theft of credit card information, and proprietary data. It is essential that organizations everywhere take a proactive approach to IT security. Understanding your IT security vulnerabilities is key to mitigating your security risk, as well as to know the best way to invest in technologies and training to protect your organization. This renewed focus has businesses seeking outside services from IT Security firms. The service offering that comes up first is typically to conduct an IT Security Assessment. This has many organizations asking what should be a part of such an engagement.


ETS is a Chicago area based IT Security Consulting firm that offers customized and comprehensive IT Security Assessment services for clients. Listening to and understanding the client’s unique security requirements is critical to making an IT Security Assessment engagement successful. To do so it is critical to understand what “must-haves” an IT Security Assessment should provide your organization.


IT Security Assessment Must-Haves


1. Objectives Gathering – If you want a productive outcome you must spend some time to determine your objectives. Every organization is different and faces security threats from different vectors. Information and systems have different values and vulnerabilities. Most organizations also have limited resources, and unfortunately, it’s not always a cost effective proposition to try to protect yourself from every possible scenario or threat. Your objectives should mirror the risk and impact associated with a break-in.


2. Inventory – Security threats can come from many different vectors and sources. Mobile devices, workstations, laptops, servers, cloud based applications, support systems, and even Programmable Logic Controllers (PLCs) used by those in a manufacturing environment. Basically, just about anything that plugs into the network has potential vulnerabilities. However; in today’s world, many organizations are also utilizing cloud based services, which also need to be considered as part of a comprehensive IT Vulnerability Assessment.


3. Security Policy Review – Many security vulnerabilities are related to how organizations allow access to their systems and information. Having well thought-out and documented security policies ensure that granted security access is understood and properly limited. This may include how vendors, alliance partners, and customers access data.


4. Password Management – Related to policies, but important to call out separately as a must-have are: IT Security Assessment password policies and management. This is critical to the security of your systems, network, and data.


5. Patching Methodology – With so many devices and applications in your environment, effective patching is critical to security. This is perhaps one of the most important practices in the security realm and the easiest way to quickly reduce the risk of security vulnerabilities. ETS offers Ongoing and Managed Services associated with patching that help to ensure your organization’s systems and applications are up to date and protected from known security vulnerabilities.


6. Vulnerability Scanning – Assuming that patching is up to date, a comprehensive IT Security Assessment may include vulnerability scanning. If you are not patching, vulnerability scanning may not be necessary.


7. Gateway / Firewall Security – The ability to detect and eliminate potential security threats often starts at the entrance of your environment. Having an appropriate next generation gateway / firewall security solution helps you to understand and analyze traffic that may be suspect in your environment. Content Filtering is another critical area that can help reduce risk by proactively scanning web traffic for known malicious content. 


8. Training – All the best systems in the world can be bypassed by a single click of the mouse. Security Awareness Training is an essential component to any comprehensive approach to organizational security. Taking up the conversation with associates about the importance of security and how to avoid targeted attacks is absolutely critical. An IT Security Assessment should always take training into consideration. IT Security is not just your IT department's responsibility. Everyone in the organization has a responsibility to learn how to protect themselves and be protective stewards of the organization's information.


9. Prioritized Action Items - Ultimately the entire point of conducting an IT Security Assessment is to provide prioritized, actionable next steps to further secure your environment. Recommendations should analyze areas of risk and highlight remediation actions. The organization needs to understand both the risk and cost of risk-mitigation so that investment decisions can be made.


The ETS Consulting Methodology starts with listening, so contact a representative at ETS today to start the conversation.


A modified version of this article was published on PRWEB on January 14th, 2015.

Return to Blog Main Page