- identify critical assets and their value,
- identify potential risks to those critical assets,
- define the likelihood of a threat to those assets,
- identify impact that threat could have on assets, and
- identify/recommend countermeasures to reduce and defeat against possible threats.
A Security Assessment is considered a more technical, “architectural review" that evaluates the people, processes, and technology as it specifically relates to cybersecurity.
- Identify technical and IT assets
- Identify potential threats and vulnerabilities
- Develop metrics
- Consider historical breach data
- Calculate cost
- Postulate countermeasures and remediation efforts
Many industries must adhere to increasingly complex regulatory demands. HIPAA, PCI, NY-DFS, CCPA, GDPR are just a few. These regulations can be extremely complex and touch on more that just technical aspects of a business. Demonstrating evidence and proof of compliance is the burden of the business. To do so, many business must rely on third-parties to reduce the pain of managing compliance initiatives, while also minimizing the associated costs and risks of noncompliance.
- Often a manual process with some automated tools.
- Requires highly specialized skills and expertise. Expect a higher price tag.
- A cheap/lowest-cost Pen Test only results in a false sense of security.
- Usually done as a snapshot/single event to validate Vulnerability Management (see below).
- Should be performed on a reoccurring basis (not recurring) according to overall framework and policies
- A good Pen Test should do two things:
- identify new vulnerabilities, and/or
- validate the assumptions about the current cybersecurity posture, thereby providing a feedback loop back into the security program.
- The Pen Test allows an organization to truly understand how effective their security is from a “hackers perspective”.
- Usually delivered via automated tools and software by a professional provider.
- Considered the starting point for a Pen Test. It is NOT a Penetration Test itself (don't let anyone tell you otherwise).
- With any specific vulnerability, the best solutions will provide greater context, beyond the vulnerability itself, and therefore better threat scoring, reducing false positives and unnecessary panic.
or are you just trying to “check the box”?
For help finding the right cybersecurity companies, solutions, and professional services reach out to us today. For free initial consultation and to start on the road to a new strategy and framework to protect your business. please contact Cloud 9 Advisers, now.