Security Assessments, Testing and Audits

Security Assessment Question Image

Security Assessments

Security Assessments are comprehensive reviews of the security of a system, application, or other tested environment. During a security assessment, a Cyberteam trained information security professional will perform a risk assessment that identifies vulnerabilities in the tested environment that may allow a compromise and then makes recommendations for the remediation, as needed.

Security assessments normally include the use of commercial and open-source security tasting tools but go beyond automated scanning and manual penetration tests. They also include a thoughtful review of the threat environment, current and possible future risks, and the value of the targeted environment.

The main work product of a security assessment is normally an assessment security report addressed to management which contains the results of the assessment in non-technical language and concludes with specific recommendations for improving the security of the tested environment(s).

Assessments may be conducted by your internal security teams with Cyberteam assistance, or they can be outsourced to a company such as Cyberteam who has specific expertise in the security areas being addressed.

Security Testing

Security testing verifies that a security control is functioning properly. These security tests include automated scans, tool-assisted penetration tests, and manual attempts to undermine the security. Security tests should take plave on a regular schedule, e.g. weekly, monthly etc. with attention paid to each of the key security controls which protect a company. When scheduling security controls for review, Information Security teams should consider the following:

  • Security testing resource availability.
  • How critical are the the systems and applications being protected by the security controls being tested.
  • How sensitive is the information data held on the systems and applications.
  • The possibility of technical failure of the mechanism implementing the security control.
  • The possibility of a misconfiguration of the security control that would reduce security.
  • The risk that the system will come under attack.
  • The rate of change of the security control configuration.
  • Other factors in the technical environment that may affect the security control suitability.
  • The difficulty and time needed to perform the security control testing.
  • The impact that security testing will have on normal business operations.

After assessing each of the above ten factors, security teams should design and verify a comprehensive assessment testing plan and strategy. This security testing strategy may include daily automated tests with infrequent manual security tests.

As an example, a credit card processing system can have automated vulnerability scans on a nightly basis, with notifications to system administrators when new threats are found. The security team can then include those automated scans with manual penetration tests from a company such as Cyberteam Security, on an annual basis to minimise costs and disruption to the business.

Security Audits

Security Audits use many of the same analysis techniques used during security assessments but they are performed by external independent auditors. While a companies security staff may reguraly perform security tests and assessments, this is not true for security audits.

Assessment and testing results are for internal use only and are only designed to evaluate security controls with the purpose to find potential security improvements.

Audits, are security evaluations performed with the purpose of proving how effective are the companies security controls to a third party. Staff who design, implement, and monitor security controls have an inherent conflict of interest when evaluation how effective the implemented controls are.

Auditors provide an impartial, unbiased view of the state of the security controls, reporting to CXO level, board of directors, government regulators, and other third parties. There are three main types of security audits:

  • Internal Audits
  • External Audits
  • Third-party Audits

Please Note

The security assessments, testing and audit information shown above is mostly generic and based on best-practice, therefore to get a better understanding on what we can do for your business, all we ask is that you contact us to discuss your cyber security assessment and testing needs to protect your IT systems and data.
Click here to contact us