CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
| |JULY 20228CIOReviewIN MY OPINIONHOW TO USE SECURITY ASSESSMENTS TO ENHANCE YOUR SECURITY PROGRAMMany organizations feel that they have mature security programs and controls in place that meet or exceed the necessary baselines. Each separate industry challenges security practitioners and leaders at least yearly with new requirements based on trends and new attack vectors; this requires a mature and collaborative team that is constantly evolving. An approach that many security leaders lean on to ensure that their security programs are constantly evolving and gaining knowledge is to have your security program attested by those that did not build the program by having a security assessment. Security assessments can come in various forms and are necessary to make sure that you not only receive validation on your program, but also (and more importantly) gain insight from industry experts. These experts often deal withother companieson how to enhance the company's programs. That experience brings a unique perspective from the outside to the security assessment. Now, a security assessment is not a penetration test, which tends to be more invasive and done covertly. A security assessment will usually only focus on a control point or compliance requirement butdoes not need to be relegated to just that. One type of assessment is a PCI GAP assessment, which allows a company that takes payments, issues credit cards or has systems that deal with credit card transactions to ensure that their program is built properly to secure card holder data. The good news is, you don't necessarily have to pay for an assessment to be done, as the PCI council has a very good assessment checklist and documents on their site which allows you to self-assess. But what third parties that specialize in security assessments can do for you is validate that self-assessment and prepare you for an audit. They can prepare By Felipe E. Medina, AVP, IT Security Operations ­ InfoSec Engineering, BankUnitedFelipe Medina is responsible for establishing and maintaining a corporate-wide information security technology program to ensure that information assets are adequately protected both on premises and within multiple cloud environments/technologies. This includes having an up-to- date understanding of the latest security threats, trends, and technologies, managing and supporting existing security solutions, evaluating, designing, and implementing new technical security controls and working to meet security objectives. Manage the Information Security Operations team, budgets and demand management in an agile work environment reporting directly to the CISOFelipe E. Medina
< Page 7 | Page 9 >