Security Assessment vs. Security Audit

What is a Security Assessment? What is a Security Audit? Are they the same thing?

Many tech professionals will tell you that a Security Assessment and a Security Audit are the same thing. Unfortunately this assumption isn’t valid. To get an answer, I spoke with Ben Howard, a Senior Technician at NSK Inc who is CISSP Certified and is in the process of becoming CISA Certified. An expert on system security, he clearly explained the difference between Security Assessment and Security Audit.

The truth is Security Assessment isn’t a valid term! Most people associate “Security Assessment” with “Vulnerability Assessment” which is actually just one part of a Security Audit. So what exactly is a Security Audit?

A Security Audit is an extensive and formal overview of an organization’s security systems and processes. The audit is an all-encompassing, in-depth, review of not only physical attributes (networks, firewalls, hardware, etc.) but other areas including policy and standard operating procedures.

The term Security Assessment is generally referring to a Vulnerability Assessment which scans an organization’s infrastructure and identifies vulnerabilities (faulty firewall, lack of system updates, malware, etc.). With the assessment results, the technician can recommend steps to remedy the problems within the system.

Keep in mind, a Vulnerability Assessment is only a part of a Security Audit. Assessments can be performed individual, but they only cover one specific area. However a Security Audit looks at all aspects of an organization’s security rather than just scanning the systems currently in place.

A Security Audit consists of:

• Looking for holes in policy
• Physical Assessment (hardware, etc.)
• Access Control Assessment
• Vulnerability Assessment
• Design Controls/Processes
• Review of Standard Operating Procedures and Policies
• Review of Backup Disaster Recovery/Disaster Recovery Plan
  •  
    • This includes a Risk Assessment
• Configure Management
• Compliance Audit
  •  
    • HIPPA
    • 201 CMR 17
    • PCI DSS

Put simply – a Security Audit consists of both a technical and conceptual overview of an organization’s security systems and practices. A Vulnerability Assessment solely scans the organization’s infrastructure and identifies flaws within the system.

Legal Advice For IT Professionals

Even though it may be your job to handle sensitive information, how you handle the data is just as important as how well it is secured.

One of the best ways to avoid any sort of legal snafu is to have a privacy policy in place. The policy needs to be all encompassing, meaning it covers EVERYTHING accessed on the company’s network (i.e. email, network drives, Twitter, Facebook, VPN connections from offsite, etc).

The policy should mandate guidelines of acceptable computer usage while using company resources (including all data).

Another step would be to conduct a Security Assessment and Security Audit.

• A Security Assessment identifies vulnerabilities within an organization’s infrastructure and will then recommend solutions to secure the system.

• A Security Audit installs an application on the network that is designed to identify, classify, secure, monitor and report on sensitive data. A manager is then notified every time the data is accessed so organization’s can track who is accessing sensitive data and when and where the access happens.

If you aren’t sure of your organization’s policy in regards to sensitive data, ask them. If they don’t have a policy in place – inquire about initiating one. This will help to safeguard yourself as well as the data you are in charge of.

More Information on NSK's Security Assessments

Social Networking On Company Time

Protecting your "Social" Security - Part 2

Survey results from Symantec have shown that half of all social networking at work is conducted for business purposes. Although bosses may cringe to hear that 50% of social networking done in the office is for pleasure, it may come as a surprise that personal social media in the office actually increases productivity (we'll get to that in a second). Although this is good news, many organizations don't have security policies in place to safeguard company activity conducted on social networks.

 The Good

A recent article in the Boston Metro reported findings from a study conducted at the University of Melbourne. Researchers found that typical 9 to 5ers who spent about a fifth of their workday using the web for personal browsing were actually more productive than those who were on the web for strictly business purposes.

The article also stated that workers should "batch" their personal activities - recommending a twenty minute session per every two hours of work for optimal productivity.

InformationWeek posted similar findings. A report from Forrester Research (conducted this past January) found that 70% of IT personnel viewed Web 2.0 and social media as having a beneficial impact on their organization's productivity. 78 % believed it helped their organization provide improved customer service. 80% thought social media had a positive impact on their company's innovation.

 The Bad

According to the InformationWeek article, many organizations don't have a policy regarding social media usage. Some (about 5%) outright block access to sites such as Facebook, Twitter, and MySpace. A policy to this extreme could result in less productivity, decreases in customer service, and create a sour workplace atmosphere. 

Instead, companies should provide guidelines for employees and create a way to monitor how social networking is being used during office hours.

The Ugly

Without any policies in place, an organization is susceptible to a number of attacks including clickjacking, worms, spam, and phishing that can enter their internal network via social media websites.

 The Bottom Line

If your office is in the Twitterverse, using Facebook, or posting pictures to Flickr, you need to have a set of rules or regulations in place to protect not only your employees' privacy, but your organization's privacy as well.

Security Outside The Cloud

Protecting Your "Social" Security

Your organization's cloud (whether it is private, public, or hybrid) is safeguarded by intruders through the use of firewalls, VPNs, SSL encryptions, and other security measures. However, what does a company do if proprietary information is used or misconstrued - that is information that was voluntarily released onto the world-wide-web? I'm talking about social media, where the world is a conversation.

In this day and age when everyone and their grandmother (literally) are hopping on the social media bandwagon, privacy regarding personal data on these websites is becoming an increasing issue. With super-platforms such as YouTube, Facebook, and Twitter, everyone is buzzing - but forgetting that what they are talking about not only is broadcast globally, but if in the wrong hands, can be dangerous.

Recently, Facebook has come under fire due to an application vulnerability that would allow hackers to link users to malicious websites. A recent article from PC World noted that the flaw could make users private data public domain. Then again, how strict can privacy settings be for information that users are willingly posting to the web?

The solution - make sure your organization has a social media policy in effect. It doesn't have to be anything fancy (i.e. written by an attorney, notarized, and framed in the office). Rather just a few bullet points added to the employee manual or posted to the organization's wiki or work server.

Some common areas employees should be notified of are:

• Tweeting about projects not yet publically announced.
  • If the company hasn't officially announced it, don't talk about it.

• Complaining about a co-worker or boss in your Facebook status.
  • Not only is it disrespectful (save it for when you are home and want to vent to a significant other), but it is bad PR for your organization if employees are updating their news feeds with slander.

Another safeguard employees can use is to check their privacy settings on their personal Facebook pages to make sure they aren't letting their personal information outside of their own networks.

Here is another great article from PC World that instructs users on how to scan their own Facebook profiles for vulnerabilities.

Employees are allowed to have social lives, they just have to make sure their personal and professional Tweets/Posts/Blogs are thought out before they are released into the cloud that is the internet.

Employee Spotlight: Certification for Information Security

Senior IT Associate Receives CISSP Certification

Ben. R Howard, a Senior IT Associate at NSK Inc recently took the CISSP Certification Exam and passed, placing him among roughly 64,000 other IT professionals in the world who have the certification.

The CISSP (Certified Information Systems Security Professional) is a highly prestigious certification that requires a massive amount of training and credentials in order to be considered to even take the exam.

CISSP candidates must have at least five years of experience in information security as well as experience with two of ten domains of security before they even apply. They then have to train and prepare for a sixty page exam that lasts for six-hours.

Those who pass receive the certification. A CISSP Certified Associate knows how to formally manage an all encompassing security program. The CISSP credential is a testament to the years of experience, knowledge, and competency of information systems, these personnel have achieved.

Howard hopes to broaden NSK's ability to provide security services to its clients with his new certification. Having a CISSP Certified IT Associate, will only help NSK Inc move forward as a premier consulting firm in Boston.