If you’re responsible for running a major business, law firm or association then you’re likely quite well aware of the damage a data loss or network breach can have on your organization.
Independent Information Security Assessment
You’re also not likely to be an expert in IT and information security. So when your IT team tells you it is well prepared to prevent or respond to a breach, how do you know? You double check.
What to Examine
When engaging an independent assessment of your network and information security protection make sure your outside experts, at minimum, examine the following:
- Depth and breadth of information security policies
- Employee understanding and adherence to these policies
- Design and structure of your network and system architecture
- Vulnerabilities or risks associated with data storage and access control
- The information security strategic and tactical plan and how robust it is
- Penetration test and what it reveals about system maturity
- Social engineering test and what it indicates about employee resilience to the tactic
- IT services, processes and procedures (e.g., service model, patch management, alignment of IT skillsets with organization’s need)
What You Might Find
Organizations face widely differing ranges of risk, threats and vulnerabilities to their information security depending on their industry, business model, workforce size, culture and other factors. But a thorough assessment can often reveal information critical to your business and IT leaders.
We recently completed an independent information security review for a CEO who was fairly confident that her overall information security posture was up to par. But after finding herself dissatisfied with her own answers to our diagnostic questions, she decided to – double check. What did we find?
- Key deficiencies and gaps in information security policies
- Poor employee understanding of policies and compliance issues
- Network vulnerabilities resulting from oversights in core management tasks
- Unauthorized access to critical information and data
- Inconsistent review of access and permissions granted to users
- Gaps in continuous management of servers, workstations, laptops for vulnerability mitigation (this work was completed immediately after the assessment began)
- A primary daily focus on issue resolution, not strategic program improvement
- Unpatched firewalls and web servers
- Employees who clicked through on social engineering test links because they had not had the training necessary to recognize the risk of their actions
What You Can Do
In this instance, given the company’s particular circumstances, the CEO decided to engage us as a Virtual Chief Information Officer (VCIO) to manage her corporation’s information security needs. But most assessments of mature information programs don’t uncover such extensive deficits.
Much more important is the fact that subjecting your IT and information security positioning to the unbiased review of an independent team of experts is a key prevention-oriented tactic every organization should consider at some point.
On the one hand, you have to trust in your technical experts. If you don’t, then get a new team. On the other hand, trust isn’t an information security strategy – and even the best IT and information security teams benefit from an independent, third-party review.