Академический Документы
Профессиональный Документы
Культура Документы
5 TIPS FOR
MAXIMIZING
THE VALUE OF
YOUR SECURITY
ASSESSMENT
To help define the scope, here are some questions to ask yourself:
PROCESS DOCUMENTATION
Secure
Coding
Standards
VULNERABILITY ASSESSMENT
AND REMEDIATION PRACTICES
Security
Awareness
and Training
Practices
RECOVERY
PROCESSES
Wireless
Access
Controls
Configuration Management
and Change Control
Your assessment team will ask for documentation referencing existing processes, security policies, guidelines and standards. These documents will
help them understand your organizations current state, help frame discussions during the assessment, and identify gaps.
STANDARD CONFIGURATIONS FOR
HARDWARE AND SOFTWARE ON:
Remember, the issue at
Mobile Devices, Laptops,
hand isnt how well proWorkstations, and Servers
cesses are documented,
Business Continuity and Application
Data Recovery Processes
so theres no need to
Software
BUSINESS
Security
worry if only informal
CONTINUITY
AND DATA
materials are available.
Network
Documentation on
Access Polices
Antimalware and Other
Security Tools
Patch Management Processes
Background
It may seem obvious, but you dont just want individuals with a broad
understanding of information security processes. You also want them to
have a strong background in technical testing, and extensive experience
dealing with security applications, including security information and
event (SIEM)/log management, governance risk compliance (GRC), identity
access management, IDS/IPS, advanced persistent threats, antivirus, vulnerability management, and business intelligence. You also want them to
be familiar with security topics outside a specific vertical industry.
Quality of work
When its time to deliver, youll need a high-quality finished product.
Remember, you want to walk away with detailed recommendations (see tip
#5). Ask for samples of the teams prior work and client deliverables. Look
for a clear roadmap of recommendations as well as a detailed description
of the current environment and make sure the information can be used
at both the operational and management level. If the team youre vetting
suggests specific technologies or vendors in their proposal, they may
simply be following a template rather than evaluating your specific needs.
Size
Determine where the assessment will be performed and how many members need to be on the team. Note that a larger number of people isnt
always preferable. For example, a significant number of junior staffers will
result in a team with six assessors but the capacity of just two or three.
| Rapid7.com