| | NOVEMBER 20209CIOReviewto present to upper management/boards, password policy security assessment and just about anything you can think of. So now that you are nervous enough about all of this... don't be. Security assessments are voluntary and can even be internally run through your audit department as part of yearly attestation. Should your audit department find a flaw, they can inform you of what you need to do. Or, if they are concerned that there is not a solution to the findings, bring in the third party that can perform a more in-depth assessment that provides exponential value and visibility into what the gaps in the program being assessed are. In short, this is a good thing for you, your team and the organization. Identifying these gaps is a great way to ensure you have proper roadmaps and align what priorities need to be in order to schedule the work. Now to the burning question we all have, what does an assessment entail and what does this process look like? How invasive is this? Well that depends, really. Usually an assessment kicks off with a series of interviews during the first phase that encompasses the teams that need to be involved to start. These interviews will provide the base information needed for the second phase of the assessment. Questions like what encryption standards are being used, requests for network diagrams and policies and procedures will be given to the assessor and will drive the next phase of the assessment which is asking for evidences from the first phase in the form of demonstrating the controls. During the second phase, these interviews take a more technical form in the fact that evidences will be gathered to validate your control points and policies, as stated above. This can be screenshots, interviews where evidence is shown, and more detailed questions regarding the points, once this phase commences. This can be a more grueling process depending on the type of assessment and the information, provided if not clear. After this is completed, the assessment goes dark for the organization. This is when the assessor compiles the information, makes the observations, writes the report and lists the recommendations to ensure that any corrective actions are listed, if that last piece is part of the expertise and called out as per the engagement. In the end, security assessments are a crucial part in vetting your security program as an organization, whether handled internally or externally. The visibility, validation and guidance from security assessments can enhance the program and find gaps in the controls for the company being assessed. The security assessment can also make recommendations that may be coming into effect that otherwise overburdened security teams would have to perform amongst all the other responsibilities they have. Combining internal audit and external assessments into your security program yearly will help to ensure that your security posture evolves, grows and transforms with the constantly evolving attack vectors that we are faced with every day.Bio:Felipe Medina is responsible for establishing and maintaining a corporate-wide information security technology program to ensure that information assets are adequately protected both on premises and within multiple cloud environments/technologies. This includes having an up-to- date understanding of the latest security threats, trends, and technologies, managing and supporting existing security solutions, evaluating, designing, and implementing new technical security controls and working to meet security objectives. Manage the Information Security Operations team, budgets and demand management in an agile work environment reporting directly to the CISO.
<
Page 8 |
Page 10 >
