Article

Who Needs Security Assessments?

Security assessments are ultimately used to determine risk, therefore understanding how an organisation handles risk can start to improve how testing is conducted

A security assessment (or penetration test) of an organisation or system is often commissioned by the IT or Security function, but the report and consequential recommendations will influence many others. The results must be put into context for each particular audience if they are to be useful to the organisation as a whole.

I have a colleague of mine, Tom Keegan, to thank for producing the following diagram, as it does a great job of describing the roles typical to risk management:

Management Board

Starting  at the top, the Management Board review the risk exposure and determine what constitutes an acceptable level of risk to ensure a sustainable and resilient organisation. This sets the context for any issues identified during the assessment, and without this input none of the other functions can...well, function.

The Management Board will require evidence of  any high-level organisational issues that mean their view of risk exposure (or even risk appetite) could be misaligned. 

Results needed: Evidence of organisational or environmental changes that require an adjustment to policy or risk appetite 

Executive Committee

The Executive Committee look at strategic risk that could threaten long-term objectives. The Executive Committee therefore need information that will help define the risk strategy.

A lot of this information, such as threat intelligence and business objectives, is gathered prior to defining the security strategy. Gaps in the approach, or even changes in the threat landscape, will manifest as vulnerabilities identified during the assessment. Following an assessment therefore the committee will need information about the effectiveness of that strategy and recommendations to cover previously unknown areas of risk. 

Results needed: Updates to the strategy required to address 'blind spots'

Management

Management perform analysis and tactical management of risk at an enterprise level, setting compliance objectives and standards that must be met. The assessment must therefore identify where failures in process have led to the presence of vulnerabilities.

If management are provided the correct information, issues can be addressed holistically at the source in a far more efficient manner. An example could be a weaknesses arising due to a lack of secure coding skills in the development team, requiring training to ensure that future vulnerabilities are not introduced. 

 Results Needed: Mapping of individual issues to process failures or capability gaps

Employees

Employees are responsible for risk identification and treatment of risk. This could be indirect (through simply following the policies laid out by the management team) or direct involvement in resolving issues.

In most cases the recommendations from the assessment will be directly consumed by the employees responsible for implementing them - the IT team making system changes or business analysts making process changes. Employees may also require evidence of the assessment as part of an awareness exercise - demonstrating the purpose behind security policies or controls.

Results Needed: Technical recommendations and remedial action for individual issues

Internal Audit & Risk Management

Internal audit and risk management are primarily concerned with reporting of risks, and so the results of any assessment will need to be quantifiable and fit into any current reporting systems.

The team also need information on where controls that have been implemented are ineffective, to ensure that the most complete view of risk exposure can be presented to the audit and risk committee. 

Results Needed: Compliance metrics against internal baselines, and details of any failing controls

Audit & Risk Committee

The Audit and Risk Committee are responsible for providing assurance that threats are being managed and opportunities are being seized. 

The committee will therefore need to know, of the threat scenarios that most concern the company, which could be realised. This takes the technical findings and determines whether the issues identified would allow an attacker to achieve a particular objective.

Results Needed: Real-world impact, supported by threat intelligence and temporal or environmental information

Summary

The value you gain from security assessments can be markedly improved with better input (from your team), and better output (from your appointed assessors). We can see from above that the most valuable result will detail:

  • The control failures that led to the vulnerability
  • The business impact that it has on the company (in the context of the company's risk appetite)
  • The possibility of that vulnerability being exploited to achieve a particular objective 
  • The action required to resolve the vulnerability
  • The organisational change needed to ensure the vulnerability is not introduced elsewhere

With this information, the entire organisation can make a reliable and informed decision about how to address security, and ensure that spending is appropriate, proportional and effective. The gold standard for any business.

 

 

Accreditations

As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.