Using Best Practice Assessments to Improve Your Security Program
Written by CISOSHARE
September 9, 2020
25 min read
What is a security program assessment? How often does an organization need to conduct one? Do you have to outsource assessments?
These are questions people often ask in security, and this article will go through the basics of a security program assessment and what to keep in mind to make the most of them to improve security program health.
A properly conducted security program assessment can help a team not only fulfill compliance and regulatory requirements but can also serve as the basis for your security program projects.
Staying on top of cyber security in an organization isn’t easy, especially as objectives change during an organization’s growth. A well-conducted security program assessment can be used as a starting point to improve your organization’s overall security program posture.
Let’s go over the basics of security program assessments and how you can use them in your own organization to make better security program decisions.
What is a Best Practice Security Program Assessment?
A best practice assessment of a security program is a review of an organization’s current security program state against industry best practice frameworks such as ISO 27001 and NIST.
The frameworks and regulatory requirements that an organization is measured against will change based on an organization’s goals, industry, and the types of information they might handle or process. Location can factor in as well, especially with privacy becoming a popular topic especially with GDPR (General Data Protection Regulation) in the EU and CCPA (California Consumer Privacy Act).
Why Conduct a Security Program Assessment?
For many organizations, best practice assessments might be an annual requirement in maintaining compliance with specific frameworks and regulations.
But beyond meeting basic requirements, security program assessments can be a valuable and proactive opportunity to identify any risks and vulnerabilities within an organization’s current state. A thorough assessment of security program policies and processes can reveal gaps that need to be addressed.
The findings from best practice security assessments can also be used to keep security as one of the priorities for your organization, especially as business goals continue to adapt and change over time and the cyber threat landscape continues to shift.
The Components of a Successful Best Practice Assessment
Not all best practice assessments are created equally.
Conducting an assessment for the sake of compliance is different from conducting an assessment with remediation in mind.
Assessing a security program for the sake of compliance only checks that certain policies are processes are there, but they don’t pay any mind to how they’re carried out. Assessing with remediation in mind identifies any gaps and uses these for additional insight on the current state of the security program and what needs to be improved.
There are at least three things to keep in mind for a successful best practice assessment: scope, security architecture, and organizational objectives.
Clearly Defined Scope
Whether your organization is conducting the assessment with in-house resources or outsourcing the task to a third party, it’s important to have a clear scope for the assessment.
Your scope will be determined in part by the business drivers surrounding the assessment such as meeting specific compliance and legal requirements, industry-based requirements, and the available budget.
A clear scope will determine the breadth and depth of the assessment, which can include multiple parts of the organization being interviewed starting at high level policies all the way down to specific parts of the process.
A best practice assessment will often include interviews with employees across the organization to understand where security touches each department in an organization to help determine the complexity of the environment.
Review Security Architecture
Even if a best practice assessment is focused on a security program’s policies, some understanding of the security architecture in place is critical to knowing how security functions in an organization.
Security architecture is often defined as the preventive and detective safeguards an organization has in place and how they work together to protect any data within the environment.
Understanding how these safeguards work will make it easier to understand the technical aspect of the environment, which can provide insight on any additional gaps within security tools and processes.
Keep Goals and Objectives in Mind
During the assessment, and especially during the creation of a report and recommendations, it’s important to keep the goals of the assessment in mind.
Knowing what the organization wants to accomplish at a high level will make it easier to identify remediation projects that align with these objectives.
If you’re outsourcing a security program assessment, consider having the same team who conducted the assessment assist in the remediation projects if you need support for those projects as well. That way, they’re already familiar with the environment as well as what your team hopes to accomplish.
Having remediation in mind from the beginning makes it easier to group identified gaps and vulnerabilities together for related programs of work.
Use Your Security Program Assessment as a Tool
An effectively executed best practice assessment is a key starting point to improving your security program.
Understanding your organization’s current state will make it easier to identify and prioritize the projects that are critical to meeting certain goals. Using a security maturity model can provide you with a picture of your current state also makes measuring any changes and progress in your organization easier to measure moving forward.