News Stay informed about the latest enterprise technology news and product updates.

Assessments identify security shortcomings

Information security assessments clarify what data in an enterprise needs to be secured, where vulnerabilities may lie and how they should be mitigated.

Every IT administrator wants to do a good job securing their organization's network, data and infrastructure. However, in order to establish a secure environment, admins need to identify the how, what and why of their organization's data, users, policies and technology.

Admins can't secure or mitigate what they don't see as important or a problem. Recently at Information Security magazine's Security Decisions, Stephen Mencik, senior infosec engineer at ACS Defense illustrated the National Security Agency's Infosec Assessment Methodology as a model for companies to follow.

Mencik suggested the following pre-assessment strategies:

  • Use a common methodology. When performing an information security assessment, organizations want to use a common methodology like the NSA's. Otherwise according to Mencik, "It's difficult if not impossible to compare results over time." Also, if you have to analyze a multi-site network, "You want to be able to compare assessments done by different teams." A common methodology enables continuity despite time, location and people.
  • Interview the right people. The success of the assessment depends on the kind of information you can learn, said Mencik. Assessors need to get as much truthful, detailed information as possible in order to "find out how operations really occur."

In terms of the actual assessment, here are the highlights of what every information security assessment should examine, according to Mencik:

  • What are the information security roles and responsibilities of users? From the average user to upper-level management, find out what users are responsible for managing and what they have access to. This information will help you create a comprehensive picture of how users expose sensitive data.
  • How does an organization conduct identification and authentication? Mencik stressed that assessors should look at how identification and authentication is done on all an organization's systems. Can someone easily fake an identity to gain access to a system? Who has access to what?
  • What is the antivirus strategy?
  • Those conducting an assessment need to look at a number of factors such as policy, scanning equipment, employee education and scanning incoming software to get a handle on an organization's antivirus tactics.
  • How is the physical environment secured? Is the door to the server room locked? Do employees need an ID to access sensitive equipment or even just enter the office? According to Mencik, "If you have good physical security, it can sometimes make up for vulnerabilities in other areas."
  • How are employees hired and trained?
  • Does the organization conduct background checks before hiring, especially with the IT staff? Do employees undergo formal security training? In many ways employees are considered the weakest link, especially without proper training users are susceptible to social engineering attempts, said Mencik.
  • Does the organization perform auditing? Does a policy exist for mandatory auditing? Do admins know how to conduct an audit? Regular auditing can reveal whether or not security policies are being enforced.


Download Stephen Mencik's presentation from Information Security Magazine's Security Decisions 2003.

FEEDBACK: What is your strategy for conducting an information security assessment?
Send your feedback to the news team.

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.