5

5 TIPS FOR
MAXIMIZING
THE VALUE OF
YOUR SECURITY
ASSESSMENT

Anatomy of a Security Assessment

With data breaches making regular headlines, its easy to understand
why information security is critical. A security assessment is a key step in
understanding your organizations level of readiness and maturity. It reveals
security gaps and the associated risks, focusing on your overall business
environment rather than specific controls or processes.

Why do I need one?

Security assessments are often mandated by government and industry regulations such as HIPAA, PCI, FISMA, Sarbanes-Oxley, etc. Even if these regulations dont apply, chances are you can still benefit from having an independent party identify ways to improve your security practices.

What are the benefits?

Regular assessments help organizations adapt to new threats, increase
employee awareness, and can even uncover evidence of an existing compromise (in other words, if an outsider has accessed your network). The
recommendations resulting from a security assessment can help organizations formulate a strong security strategy. Executives can use the results
to help factor high-impact investments into future business plans, and customers often view an assessment as proof that you take security seriously.
Read on to learn 5 best practices that will help ensure youre deriving
maximum value from an assessment.

TIP #1: Define the Scope.

Clearly.
Security assessments arent one-size-fitsall. Market pressures, infrastructure, culture, risk tolerance all of these can vary,
so make sure that the key players agree on
the scope before the assessment team gets
to work.

To help define the scope, here are some questions to ask yourself:

Will this be a comprehensive, top-down, no-holds-barred assessment?

Or should the team focus on specific areas, such as certain security policies and procedures? Take the time to map this out in advance.

Do I need a security assessment or a penetration test?

These are two different things. A security assessment is a top-down evaluation of security practices and helps you understand the strengths and
weaknesses of the processes that are in place. It can uncover pervasive and
systemic issues within your organization. A penetration test is a bottoms-up
approach that identifies specific instances of issues and focuses on whats
missing, such as how many vulnerabilities exist or what to patch.

What are the required deliverables?

After an assessment, organizations should receive recommendations a
roadmap, a detailed evaluation of existing security controls, next steps, and
a timetable based on risk and priority should all be part of the final report.
Executive-facing summaries should be included as well.

Are expectations aligned?

Have a kick-off call to discuss logistics, introduce primary stakeholders and
team members, and determine a timeline for the assessment.

What should be included in the assessment itself?

Should regulatory or compliance needs be considered as part of the
assessment? Are you focused on a particular framework or security best
practices?To maximize your investment, confirm that youre enlisting people who are well versed in responding to compromises of varying size and
severity.
Once youve locked in your IR firm, establish an incident response team and
identify the key players so you can start planning.

TIP #2: Get Your Documentation in Order.

PROCESS DOCUMENTATION

Secure
Coding
Standards

VULNERABILITY ASSESSMENT
AND REMEDIATION PRACTICES

Practices for Inventorying

Devices and Software

Security
Awareness
and Training
Practices

Here are some examples

of documents and collateral that youll want to
provide:

RECOVERY
PROCESSES

Wireless
Access
Controls

Configuration Management
and Change Control

Your assessment team will ask for documentation referencing existing processes, security policies, guidelines and standards. These documents will
help them understand your organizations current state, help frame discussions during the assessment, and identify gaps.
STANDARD CONFIGURATIONS FOR
HARDWARE AND SOFTWARE ON:
Remember, the issue at
Mobile Devices, Laptops,
hand isnt how well proWorkstations, and Servers
cesses are documented,
Business Continuity and Application
Data Recovery Processes
so theres no need to
Software
BUSINESS
Security
worry if only informal
CONTINUITY
AND DATA
materials are available.

Network
Documentation on
Access Polices
Antimalware and Other
Security Tools
Patch Management Processes

TIP #3: Focus the Conversation.

An efficient and effective assessment
hinges on having a proper understanding
of your organizations environment. The
assessment team needs to conduct
interviews make sure theyre speaking
with the right people, especially if there is
an area that is lacking in documentation
(see tip #2).
The goal of the interviews is to understand what technologies and practices
exist, what high-level controls are in place, and how processes are being
followed. So take time to prepare. Interview questions can vary, as typically
they are quite technical in nature and unique to your particular organization/the assessment itself.
4

TIP #4: Pick the Right People for the Job.

Even if you can do a self-assessment, input from an independent third party
is indispensable. But how do you know youre enlisting the best team? Here
are factors to consider:

Background
It may seem obvious, but you dont just want individuals with a broad
understanding of information security processes. You also want them to
have a strong background in technical testing, and extensive experience
dealing with security applications, including security information and
event (SIEM)/log management, governance risk compliance (GRC), identity
access management, IDS/IPS, advanced persistent threats, antivirus, vulnerability management, and business intelligence. You also want them to
be familiar with security topics outside a specific vertical industry.

Quality of work
When its time to deliver, youll need a high-quality finished product.
Remember, you want to walk away with detailed recommendations (see tip
#5). Ask for samples of the teams prior work and client deliverables. Look
for a clear roadmap of recommendations as well as a detailed description
of the current environment and make sure the information can be used
at both the operational and management level. If the team youre vetting
suggests specific technologies or vendors in their proposal, they may
simply be following a template rather than evaluating your specific needs.

Size
Determine where the assessment will be performed and how many members need to be on the team. Note that a larger number of people isnt
always preferable. For example, a significant number of junior staffers will
result in a team with six assessors but the capacity of just two or three.

TIP #5: Learn, Improve.

Dont just toss the results of the assessment into a
drawer. Study them closely. Used properly, they can
be a springboard to better security.
5

Focus on remediation, asking yourself what you need to do in order to

tackle the more critical issues that emerged from the assessment. Do you
need to sideline any projects? Create new ones? Make the case for certain
investments? In some instances, you may even determine that you need
another, more in-depth assessment. Or, if a compliance audit is imminent,
youll want to know how the gaps identified in the security assessment will
have an impact.

The Threat Landscape

Technology is evolving, but so are threats. Attackers are growing increasingly sophisticated, adopting new techniques, and pursuing a wide range of
goals be it financial gain, espionage, or notoriety. Regardless of industry
and size, assume that your organization will be targeted, at some point, by
an attacker.
Safeguarding against threats is no easy feat, given business complexity
and budget limitations. But all is not lost: understanding how systems,
applications, data, storage devices, and communication mechanisms relate
to each other helps you allocate resources optimally. In this way a security
assessment can give you a leg up. Ultimately, youll be able to provide
executive management and leadership teams with a clear picture of whats
in place, whats working, and whats not.
About Rapid7
Rapid7 cybersecurity analytics software and services reduce threat exposure and
detect compromise for 3,900 organizations, including 30% of the Fortune 1000.
From the endpoint to cloud, we provide comprehensive real-time data collection,
advanced correlation, and unique insight into attacker techniques to fix critical vulnerabilities, stop attacks, and advance security programs.
Our Strategic Services Program Development helps transform your organizations
security program to be relevant, actionable, and sustainable through threat-focused
program assessment and development services. Recommendations and advice provide measurable cyber-security improvements over a timeframe appropriate to your
organization.
Learn more: http://www.rapid7.com/docs/program-development-services.pdf

| Rapid7.com