Who is Guarding the GatekeepersKAM
This is a timeless concept from roman times that has been passed down in popular culture and can be applied to your business security plan. Companies of even a modest size and complexity rely on some form of IT to support their computer systems and data. Most companies trust their IT department or Managed Services Provider to have included security as a baseline component of their work.
You see Antivirus (AV) on your computer and you know you have a firewall. You may even have spam filtering for your email and you almost certainly have backups for your data. You trust your IT department to do these things but how do you verify your IT Security is doing what you think it is doing?
Trust but verify.
Fidete, sed verificate” is a famous Latin phrase: Trust but verify. You trust your IT department is doing their best when it comes to the security of your key computer systems and valuable data. However, when you think about their mission coupled with the rapidly increasing number of threats, it is better to exercise the “trust but verify” axiom.
Have you asked your IT department how they verify the security controls they manage? Are your IT security controls configured correctly and doing the job? It is a frightening thought to consider that most network breaches are discovered 146 days after the breach occurred* .
What do Security Audits and Financial Audits have in common?
It is common practice to have annual financial audits completed by a third party. The ideal engagement for a Security Audit is when a third party can partner with your existing IT person/department/MSP to validate what is being done and to comprehensively review your security controls from start to finish. This is more likely to provide an unbiased and valuable assessment. The process must avoid any “blame game” mentality and sincerely understand how difficult it is to consistently configure and manage security controls. A Security Consultation and Security Audit makes financial sense – it gives you the data to make informed decisions on how to invest to best meet the security needs of your business and not waste money.
Typically, Vulnerability Assessments are a key component of IT Security verification, however there is much more to this than simply running a scanning tool once a month or answering a list of questions. The process must evaluate all the layers of security, including physical, technical and administrative controls, identify gaps that exist and provide real steps that can be taken to improve the overall security defenses that protect your computer systems and data.
The Vulnerability Assessment is a comprehensive engagement of not only internal and external network scans but examining patching success, particularly third-party patching which many businesses struggle to keep current**; Comparing your policies with what you are doing and with best practices in crucial areas like password management, principle of least privilege, and validation of other security mechanisms implemented at your business; Addressing your compliance regulations (ex. HIPAA, PCI, SOC2, CMMC).
As a result of your Vulnerability Assessment, you should have a comprehensive technical report, asset report, threat identification, a prioritized gap analysis and a work plan for remediation of any vulnerabilities, and an executive briefing to summarize your overall security posture.
For most businesses, a full Vulnerability Assessment should take place yearly. Additional Internal and/or External Vulnerability Scan may be needed to validate the integrity of your network when changes occur in your environment. Those under compliance or increased security needs, ongoing monitoring with Managed Security Services is often required. (See the Layers of Data Security Graphic above).