Whether the Security Assessment is driven by an audit requirement, due-diligence or a compelling event, it is highly likely that there will be a requirement for a third party to conduct the work. Furthermore, the findings and advice identified as a result of the work may need to satisfy internal or external auditors, the board or shareholders. As such, it is clearly important that the style and content of the assessment, those performing the work and the deliverables (i.e. the reports) satisfy the technical requirements set down.
Perhaps more importantly, they must also reflect a business understanding within the context of the project, and be able to present and articulate this to technical and non-technical target audiences.
Business demand has grown alongside the proliferation of information regarding vulnerabilities, their exploitation and remediation. Corporate Internet presence has developed from simple, static brochure sites to increasingly complex interactive applications allowing potential customers and partners alike to delve into the data and systems at the heart of the enterprise.
The requirement may be for a security health check of the underlying infrastructure, comprising vulnerability identification and analysis within the publicly available shrink-wrapped devices and software. This could be a full proprietary web-enabled application allowing users to initiate transactions, accessing and modifying back-end data, for example Internet Banking. It may also be a small collection of scripts handling customer contact or queries, or the configuration of a document presentation and content management application. For example, the site could be enabled for mobile access, wireless technology may be deployed, integrated Voice and Data systems; all presenting new security risks.
It’s important to keep sight of what we are trying to achieve and protect through the assessment – generally the objective is to safeguard the core intellectual and electronic assets of the organisation, and to ensure compliance with regional and global, IT and data safeguard laws such as the UK DPA, US HIPAA, ISO17799 etc.
The Security Assessment industry has grown rapidly, and clients are now presented with a bewildering array of vendors offering services. Unfortunately, the development of practical and appropriate standards and accreditations has lagged behind. Because of this it is imperative to consider whether the prevailing standards are suitable or appropriate for your requirements.
Look for
– Methodologies: Compliance with formal methodologies helps ensure that an assessment is both repeatable and of a consistent standard.
– Certifications: Organisational and individual certifications are also useful in gauging whether a supplier is qualified to satisfy the testing requirements. As although some certification schemes apply to the organisation as a whole, they are typically focussed on the individual team members.
– Standards: There are a number of standards and acts relating to general Information Security, including industry specific schemes. These include ISO17799, the UK Data Protection Act, the US Health Insurance Portability and Accountability Act (HIPAA), VISA and MasterCard schemes.
Conclusions
Third party validation of organisations’security is becoming more prevalent (and indeed required), through security assessments. In order to ensure that testing is of the required quality and depth, clients must ensure their suppliers are able and qualified on a number of levels. This can in part be achieved by ensuring the methodologies in use are compliant with, and ideally exceed, those in the public domain.
http://www.ebcvg.com/articles.php?id=273