APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Regulatory Compliance Security Assessments

© September 2007 Michael Desrosiers

2007/09/08 Michael Desrosiers

This month's topic is on regulatory compliance security assessments and what you should look for in them.

A security assessment is a systematic, measurable technical assessment of how a security process and program is employed at a specific site. Unlike a penetration test (black box), information security professionals work with the full knowledge of the organization (crystal box) and at times with considerable inside information in order to understand the resources to be audited. An assessment is a more comprehensive examination of an information system and network. It involves not just the testing of the vulnerabilities, but other aspects including the overall design of the information system or process, and perhaps the system's resistance to social engineering tactics.

The assessment should include security checklists and questionnaires that cover networks/LANs, firewalls, Internet access, data access, virus management, etc. A quality assessment should also review existing security polices, procedures and programs and identify gaps as they relate to standards and guidelines provided by the regulatory body.

Phase I - Assessment Preparation

In this phase, the assessor should review the existing network documentation, policies and procedures, previous security assessment reports and interview technical and management staff. This provides an initial picture of how your systems are implemented and secured. This will also will result in a very specific detailed assessment plan.

Phase II - Assessment and Review

The assessor will review and critique your systems, policies and procedures. You should expect to begin this phase with a security briefing with management to review with them various aspects of technology security, establish a framework for understanding of the issues and trade-offs associated with technology security and to receive management's overall stance on technology security within the company. This briefing defines the foundation for the type and level of recommendations which will be included in the final report. This portion of the assessment involves a very "hands-on" information-gathering methodology. Consequently, the assessor will need access to your servers, workstations, network and staff.

Phase III - Analysis

Review and analyze all the collected data and reports, including the checklists, vulnerability reports, interview notes, etc. They should then be compared to your existing policies to attain the desired level of security.

Phase IV - Reporting

The final phase should include written recommendations and analysis based on the assessment. This report should include the businesses current state of information technology security. It should also include the pre-existing vulnerabilities for your network and the recommendations for their mitigation. Network and system topologies as well as logs, reports and paperwork generated by the assessment should also be included in the assessment.

There you have it. An Information Technology security assessment should constitute an important part of any organizations security posture. What you must keep in mind when an assessment is completed is that the policy and procedures will provide the focus for risk assessment and threat management within the institution as a whole. This will then drive what controls are required to manage these risks in compliance with the level of diligence that is required by the institution.

View more articles by Michael Desrosiers

To respond to this or previous newsletters or to inquire about an on-site presentation, please feel free to call us at 508-995-4933 or email us at mdesrosiers@m3ipinc.com.


Michael Desrosiers
Founder & Principal Consultant
m3ip, Inc.
We Manage Risk, So You Can Manage Your Business

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> Regulatory Compliance Security Assessments

Inexpensive and informative Apple related e-books:

Take Control of Numbers

iOS 8: A Take Control Crash Course

Photos: A Take Control Crash Course

Take Control of Preview

Take Control of High Sierra

More Articles by © Michael Desrosiers

Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

Anyone even peripherally involved with computers agrees that object-oriented programming (OOP) is the wave of the future. Maybe one in 50 of them has actually tried to use OOP – which has a lot to do with its popularity (Steve Steinberg)

Linux posts

Troubleshooting posts

This post tagged:


Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode