Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Guide to Choosing a Security Assessor

advertisement 
White Paper
Guide to Choosing a Security Assessor
www.solutionary.com
(866) 333-2133
Guide to Choosing a Security Assessor
Guide to Choosing a Security Assessor
Contents
Introduction .......................................................................................................................3
Consider More Then Cost Alone .......................................................................................3
Characteristics of a Security Assessor..............................................................................3
Top 25 Questions for Potential Assessment Partners .......................................................5
Other Considerations ........................................................................................................6
Conclusion: Choosing the Right Partner ..........................................................................7
About SCS.........................................................................................................................8
About Solutionary ..............................................................................................................8
2
Guide to Choosing a Security Assessor
Introduction
Technical assessments are a necessary part of an information security program. They
help identify gaps and provide insight into an organization’s current security posture.
Types of security assessments include vulnerability scanning, penetration testing,
application security assessments, infrastructure assessments and physical controls
assessments.
Security assessments can focus on specific compliance requirements or frameworks.
When preparing for a security
assessment, organizations should
consider:
1.
including any recent changes
Whether company standards follow HITRUST CSF, ISO, COBIT, COSO, NERC or
PCI DSS, organizations should hire a security assessment firm with experience and
Regulatory requirements,
2.
knowledge that match those of the organization’s unique compliance and business
New systems, applications and
environments
requirements. This guide will cover the key considerations for choosing a security
assessment partner.
3.
Gaps in previous audits and
remedial action taken
Consider More Than Cost Alone
4.
Specific protection of sensitive
information
The choice of an assessor should go beyond cost alone. Like any other service, the
quality of work performed can vary, depending on the experience of the assessor, as
5.
Scoping to ensure appropriate
coverage
well as the tools, techniques and methodologies used.
6.
Every security assessment criteria may vary; therefore organizations should choose an
Identified security initiatives and
associated budget
assessor with appropriate levels of experience and competency that meet the business
needs.
7.
Skillsets and experience of
internal staff
The characteristics of the internal security team also matter. A more mature,
experienced security team may not require the same level of communication from the
assessor as less experienced teams.
Characteristics of a Security Assessor
All assessors are not alike. Years of experience are just as, if not more, important
than obtaining certifications, since certifications alone do not guarantee hands-on
experience.
3
Guide to Choosing a Security Assessor
The company performing the security assessment should have the following
characteristics:
•
Trusted advisor, not just an auditor. It is important that an assessor identifies
positive results to reinforce company progress and practices. As an advisor, the
assessor should provide recommendations for improving the business environment
Request resumes of the actual
beyond the security and IT departments.
assessors in order to verify they have
proven expertise and appropriate
•
•
Excellent track record of finding vulnerabilities while not affecting business
certifications. The company should
operations. Technical security assessments, like penetration tests, carry a level of
also be able to prove that any
risk and may be intrusive to a network. An experienced security assessor should
of the assessors performing the
be able to conduct intrusive security testing while allowing the business to function
assessment satisfactorily passed a
seamlessly without disruption of continuity and production.
background check.
Ability to go beyond automated tools. There are many excellent tools available for
finding vulnerabilities in networks and applications. These tools, however, are only
as good as the people using them. Most assessors use automated tools as part of
their assessment toolkit, but also should be able to employ manual techniques to
find and exploit vulnerabilities.
•
Expertise in investigating and identifying security gaps while escalating critical
and serious findings in real-time. The risk levels found in a security assessment
will vary, depending on the threat the vulnerability poses to the company. A good
assessor will know how to determine which vulnerabilities are high risks and
immediately escalate this critical information to management.
•
Qualified professionals performing the assessment. The assessors who perform
the actual assessment should have appropriate expertise. Request resumes of
the actual assessors in order to verify they have proven expertise and appropriate
certifications. The company should also be able to prove that any of the assessors
performing the assessment satisfactorily passed a background check.
•
Ability to gather actionable findings and incorporate them into a road map of
strategic and tactical next steps. An assessor should define a plan to ensure
steps are in place to evaluate the entire environment. The assessor should provide
4
Guide to Choosing a Security Assessor
feedback that will help establish the resources and action items required to mitigate
findings in the short-term, as well as develop a security roadmap for the long-term.
•
Proven ability to contribute and provide a well-written report. The information
gathered from an assessment is critical to the improvement of an organization’s
Asking key questions will provide
security program. An assessor should be able to gather and translate the key
an understanding of an assessor’s
findings for overall risk, as well as, provide recommendations for eliminating
approach, methodology and
identified risks in an easily understood deliverable. An experienced assessor should
experience.
be able to provide, upon request, samples of reports and other deliverables.
•
Demonstrable financial stability. The company performing the security assessment
should be able to demonstrate financial viability, stability and profitability of its
business.
Top 25 Questions for Potential Assessment Partners
Before engaging an assessment firm, organizations should make sure the firm is a good
fit for performing the assessment. Asking key questions will provide an understanding
of an assessor’s approach, methodology and experience. Key questions for potential
assessors include:
1.
How long have you been in business?
2.
How many assessments have you performed?
3.
Do you have experience assessing an organization like ours?
4.
Can you provide references?
5.
How good is the assessment team? What is the experience level of the
assessor(s)?
6.
Where are the assessors based? Are they located domestically or offshore?
7.
Can you provide resumes for the people who will be performing the assessment?
8.
Do you perform background checks and drug tests on your assessors? If yes, how
often?
9.
5
Do you have regulatory experience that matches our industry requirements?
Guide to Choosing a Security Assessor
10. How much will the assessment cost?
11. Are you going to make recommendations we are actually capable of implementing
given our budgets and business processes?
12. Will the assessment results provide us with a roadmap for improving our overall
security posture?
13. Do you have a security assessment methodology you can share?
14. What is your typical toolset and testing process?
15. Do your assessors only use automated tools or will they also use manual
techniques?
16. How will our sensitive information be protected?
17. How will you provide the reports to us?
18. How clear is your report going to be for technicians?
19. How clear will your report be for our decision makers in management?
20. Can you provide a sample report?
21. Are you going to give us priorities based on risk to our business?
22. Are you going to find something that actually improves our security and fits within
our risk posture?
23. Will the assessment reveal anything that embarrasses the internal team?
24. How much work is the assessment going to create for us once complete?
25. Will we have a designated point of contact?
Other Considerations
Organizations should identify a partner who can understand client needs and
circumstances, helping to ensure assessment observations are clear and unambiguous
and recommendations are practical and meaningful. The ability to truly consider the
impact on the client is what sets a good security assessor apart.
6
The ability to truly consider the
impact on the client is what sets
apart any security assessor from a
good assessor.
Guide to Choosing a Security Assessor
While security and compliance experience are key, organizations should look beyond
these basic requirements and consider partners who have experience in the technology
and industry being assessed. For example, for application security assessments, the
assessor should have familiarity with the language in which the application is written.
Industry knowledge is helpful for benchmarking as well as familiarity with the types of
data being handled and the systems in use.
Organizations should carefully
evaluate potential assessment
partners and choose the provider
Organizations should consider long-term goals when choosing the best security
assessment partner. Some considerations may include:
•
Is the organization being assessed planning an expansion or expanding into new
markets? Changes in the infrastructure may lead to new vulnerabilities. Substantial
changes should be assessed for security.
•
Are new applications being developed or updated internally? New applications,
especially those containing sensitive information should be assessed for security
with every major update.
•
Is the organization developing mobile apps? Make sure the assessor doing
assessments has experience with mobile application security.
•
Do current or new business partners or vendors have access to internal systems?
If so, they should provide proof that they have had a recent security assessment or
agree to having one completed.
•
Will the organization be subject to new compliance requirements or adopting a new
security framework? A long-term assessment partner can assist in mapping those
requirements to the assessment results.
Conclusion: Choosing the Right Partner
Choosing the right security assessment partner is an important decision in an
organization’s overall security life cycle. While cost is certainly a factor, there are other
important considerations that should not be overlooked. Organizations should carefully
evaluate potential assessment partners and choose the provider that best fits the
organization’s needs — for both the short-term and the long-term.
7
that best fits the organization’s
needs — for both the short-term
and the long-term.
About Solutionary Security Consulting Services
Solutionary Security Consulting Services (SCS) specializes in the delivery of
independent security guidance, security controls validation, standards-based
compliance and remediation design and support. SCS consultants engage in
recurring, scheduled security and compliance initiatives or short‐term, one‐time
projects; whichever best meets the needs of the organization.
Solutionary Assessment Services include:
•
box and black box):
SCS Offensive Security Services include technical security control testing
(infrastructure, application layer and device penetration testing), security architecture
design and evaluation services, social engineering and physical security assessments.
Governance Risk and Compliance Services include services to assess and support
security frameworks and mandates including the Payment Card Data Security
Standard (PCI DSS), the HITRUST Common Security Framework, HIPAA/HITECH, ISO
27001:2 and others.
Penetration Testing (white box, gray
•
SCS Offensive Security Services helps organizations discover security risks
and comply with regulations. Solutionary consultants proactively test networks,
applications, devices and physical controls using real-world attack scenarios
and manual exploitation techniques to identify and remediate risk-based security
exposures.
•
About Solutionary
•
Network
•
Application
•
Mobile Application
•
Wireless Access
•
Workstation/Server
Social Engineering:
•
Physical Security Exploitation
•
Email Phishing
•
Telephone Social Engineering
•
Social Media
Advanced Multi-Vector Attack
Simulation (Red Team/ Blue Team)
Solutionary, an NTT Group security company (NYSE: NTT), is the next generation
managed security services provider (MSSP), focused on delivering managed
security services and global threat intelligence. Comprehensive Solutionary security
monitoring and security device management services protect traditional and virtual
IT infrastructures, cloud environments and mobile data. Solutionary clients are able
to optimize current security programs, make informed security decisions, achieve
regulatory compliance and reduce costs. The patented, cloud-based ActiveGuard®
service platform uses multiple detection technologies and advanced analytics to
protect against advanced threats. The Solutionary Security Engineering Research
Team (SERT) researches the global threat landscape, providing actionable threat
intelligence, enhanced threat detection and mitigating controls. Experienced, certified
Solutionary security experts act as an extension of clients’ internal teams, providing
industry-leading client service to global enterprise and mid-market clients in a wide
range of industries, including financial services, healthcare, retail and government.
Services are delivered 24/7 through multiple state-of-the-art Security Operations
Centers (SOCs).
Contact Solutionary at info@solutionary.com or 866-333-2133
Solutionary, an NTT Group security company, is the next generation managed security services
provider (MSSP), focused on delivering managed security services and global threat intelligence.
ActiveGuard® US Patent Numbers: 7,168,093; 7,424,743; 6,988,208; 7,370,359; 7,673,049; 7,954,159; 8,261,347.
Canadian Patent No. 2,436,096. Solutionary, the Solutionary logo, ActiveGuard, the ActiveGuard logo, are registered
trademarks or service marks of Solutionary, Inc. in the United States. Other marks and brands may be claimed as the
property of others. The product plans, specifications, and descriptions herein are provided for information only and subject
to change without notice, and are provided without warranty of any kind, express or implied.
Copyright ©2015 Solutionary, Inc.
Solutionary.com
Solutionary, Inc.
9420 Underwood Avenue
Omaha, NE 68114
1270WP
1/15
Related documents
Internal verification template
Internal verification template
CBD Respiratory Disease
CBD Respiratory Disease
LAND USE OFFICE - Town of Canterbury CT
LAND USE OFFICE - Town of Canterbury CT
Header - Service Skills
Header - Service Skills
DUTIES-UNIVERSITY-ASSESSORS
DUTIES-UNIVERSITY-ASSESSORS
Guidance for Direct Observations
Guidance for Direct Observations
ATP - Workshop 2 - Classroom observation PowerPoint
ATP - Workshop 2 - Classroom observation PowerPoint
PROCEDURE FOR UNDERTAKING A CAPACITY ASSESSMENT
PROCEDURE FOR UNDERTAKING A CAPACITY ASSESSMENT
Download
advertisement