CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
| | NOVEMBER 20208CIOReviewIN MY OPINIONIN MY OPINIONMany organizations feel that they have mature security programs and controls in place that meet or exceed the necessary baselines. Each separate industry challenges security practitioners and leaders at least yearly with new requirements based on trends and new attack vectors; this requires a mature and collaborative team that is constantly evolving. An approach that many security leaders lean on to ensure that their security programs are constantly evolving and gaining knowledge is to have your security program attested by those that did not build the program by having a security assessment. Security assessments can come in various forms and are necessary to make sure that you not only receive validation on your program, but also (and more importantly) gain insight from industry experts. These experts often deal withother companieson how to enhance the company's programs. That experience brings a unique perspective from the outside to the security assessment. Now, a security assessment is not a penetration test, which tends to be more invasive and done covertly. A security assessment will usually only focus on a control point or compliance requirement butdoes not need to be relegated to just that. One type of assessment is a PCI GAP assessment, which allows a company that takes payments, issues credit cards or has systems that deal with credit card transactions to ensure that their program is built properly to secure card holder data. The good news is, you don't necessarily have to pay for an assessment to be done, as the PCI council has a very good assessment checklist and documents on their site which allows you to self-assess. But what third parties that specialize in security assessments can do for you is validate that self-assessment and prepare you for an audit. They can prepare you for an audit by having QSA qualified auditor that knows what will be asked (and that you may not have on staff) perform this assessment. There are other types of security assessments that can be done as well, like a role-based access control or RBAC assessment. This would audit how you onboard users to your organization and provide them access per their job functions. It will ensure that you can qualify and quantify the risks for administrator logins within your organization. Another type of assessment would be a network security assessment where your network and access listsas well as firewalls and detection and preventions would be audited to ensure proper segmentation, controls and restrictions are in place for your organizations network access both internally and externally.In addition tothese examples, there are other types like risk assessments for key risk indicators By Felipe E. Medina, AVP, IT Security Operations ­ InfoSec Engineering, BankUnitedHOW TO USE SECURITY ASSESSMENTS TO ENHANCE YOUR SECURITY PROGRAM
< Page 7 | Page 9 >