The Information Security Program and How a Security Assessment Fits In
59
•
Expertise and best practices —
Some companies do not have the expertise
to conduct a security assessment. A qualified independent third party can
provide the expertise and knowledge of best practices that will make the
security assessment process more meaningful. If you engage the right
third party with the appropriate skill sets, they can provide a different
perspective because of their experience with other companies or groups.
Remember that for a third party, security is their area of expertise and
they have probably seen a variety of ways that environments are secured.
If you use a third party, this experience and knowledge can be leveraged
to improve your own information security program.
•
No politically motivated inhibitions —
Independent third parties do not
tend to have any friends or enemies or relationships that might cloud their
judgment during the security assessment process. As we discussed earlier,
security assessments potentially uncover information about how securely
your business is run. Some findings might embarrass someone or make
someone defensive. Internal parties who do not have the required level of
independence can be influenced by their relationships. Independent third
parties, on the other hand, do not have these concerns. As a result, their
results will be objective and unbiased.
M
ANAGING
S
ECURITY
R
ISKS
P
ROACTIVELY
Ideally, security assessments should be performed on a regular basis because doing
them often allows you to leverage what you already know about the business and
just look at changes to the business on an ongoing basis. Basically, the first assess-
ment is the “baseline,” and all subsequent assessments address changes to the
business based on the “baseline.” This is an efficient and effective way to manage
security risks. The security assessment process is a way for companies to look at
the information security program and ensure that security risks are managed in a
cost-effective manner. By conducting security assessments, companies have the
ability to know what their risks are and what the associated impacts of those risks
are. Based on this knowledge, companies can then make informed decisions on how
to allocate funds and resources to manage security risks in a cost-effective manner.
Without this process, resources for information security, including staffing and funds,
may not be allocated properly. Stepping back periodically and evaluating the infor-
mation security program provides a fresh perspective on whether the information
security measures in place are appropriate.
One of the classic examples in recent years is intrusion detection. These systems
can require significant administration time because of tasks related to updating
detection signatures, reacting to alerts, and fine-tuning the system to minimize false
alarms. Some companies have implemented intrusion detection systems without
considering whether they have the resources to properly administer them or whether
they really need them. In the end, many of these companies do not end up using
intrusion detection. The result is a very expensive system on the network that is not
managing any risk or providing any benefit to the company. In this example, a
security assessment would have determined whether a need for intrusion detection
AU1706_book.fm Page 59 Wednesday, July 28, 2004 11:06 AM