96 A Practical Guide to Security Assessments
aligned with the security risks facing the company. Equally important as this defi-
nition is what a security assessment is not. Some other types of services that a
security assessment should not be confused with include:
• Network assessment — A network assessment focuses on how well a
network (local area networks and wide area networks) is meeting business
requirements. A network assessment looks at network performance, net-
work traffic patterns, usage patterns, and other metrics such as downtime
to determine whether a network is functioning as it should be. In a network
assessment, business requirements are reviewed from a different perspective
than in a security assessment. Besides focusing on network performance,
a person performing a network assessment would also determine whether
the current network infrastructure could handle future business require-
ments. A security assessment might have some commonalities with a
network assessment, but the focus is very different.
• Vulnerability assessment — A vulnerability assessment is a technical
assessment, where the goal is to discover vulnerabilities in the IT envi-
ronment, what kind of risk they pose, and how the risk can be mitigated.
Unlike with a security assessment, the scope of a vulnerability assessment
does not include a review of the overall information security program or
how security measures are aligned with security risks. Vulnerability
assessments are more technical in nature and do not have as strong a focus
on the business as a security assessment does. These assessments are
typically done using tools that can examine security settings and configu-
rations very quickly and generate vulnerability reports. The reports must
then be interpreted by qualified personnel to determine which vulnerabilities
are legitimate for the environment. Some of the tools used in vulnerability
assessments generate “false positives” that must be weeded out. For legit-
imate vulnerabilities, risks and mitigation strategies are typically developed.
Before conducting vulnerability assessments, companies should ensure that they
have already taken appropriate security measures such as applying patches and
closing ports that are not used. It is important to remember that a vulnerability
assessment is only part of an overall information security strategy and is another
layer of security that should be integrated with security policies and procedures and
other information security measures. In fact, there are firms that now offer managed
vulnerability assessments where a network perimeter, a demilitarized zone, or some
other part of the IT infrastructure can be scanned for vulnerabilities automatically
on a regular basis.
Although security assessments differ from network and vulnerability assess-
ments, there are similarities between them as well. They are related and synergies
exist that can be capitalized upon to add more value to a security assessment. When
conducting a security assessment, information from a network or vulnerability
assessment can be invaluable. One example is the concept of availability, which is
one of the three key objectives of security (confidentiality, integrity, and availability).
If during a security assessment, you discover that personnel are suffering from
AU1706_book.fm Page 96 Tuesday, August 17, 2004 11:02 AM