“One and Done” Is Not a Security Assessment Strategy

Bob Fake, CEO, InfoSec

IT security is about more than just making sure your security is at its best once a year and forgetting about it. Today’s threats are always changing, and there are increasingly sophisticated ways for systems to be breached. New applications are constantly being implemented, employees come and go, and general security changes occur every day. Frequent or recurrent security and compliance assessments are a way to address all of these changes and, in turn, make adjustments to suit the changes your organization experiences.

Use the Right Standard

Security assessments are a mechanism to validate that your security meets your specific standards— having a standard to compare a new security implementation against is critical. Different companies have different guidelines for the level of security they want to achieve. By performing a security assessment on a regular basis, your security team, your CISO, and CIO can all be assured that your security protocols meet the levels you are looking for.

There are best practices out there, but unfortunately they’re not very comprehensive and don’t get down to the necessary level of detail that many organizations require—in particular, large financial, healthcare, or insurance organizations who have so much to lose if their information is compromised. In today’s high-risk environment, organizations need more than just best practices: IT security must be assessed by a higher set of standards. If you can’t say with 100% certainty that your entire infrastructure is completely buttoned up, you most likely have some gaps that a cybercriminal could exploit.

The Risk Management Framework (RMF)

These potential gaps are why many commercial organizations are adopting the RMF (formerly known as DIACAP) standard, the official certification and accreditation requirement for security compliance with the Department of Defense (DoD). RMF is a thorough and exhaustive list of technical guides that determine whether your security implementation is worthy of running a DoD-level workload. It has been around for decades, and it’s the trusted “gold standard” of high-quality IT security assessments.

Instead of reinventing the wheel or coming up with another set of standards, commercial entities are adopting and implementing the RMF standard for their own purposes—and for good reason. The advantage of this higher level of security compliance is that a third-party consulting partner can use these standards to assess you against the most stringent guidelines in existence.

Unlike those who have to adhere to these guidelines by law, commercial businesses have the ability to make these standards fit the individual needs of their company and culture. Bringing security up to this standard will close many of the holes that are present in most of the security plans that are based on “best practices,” placing organizations in a more favorable security position, and in a better position to respond to internal and external audits going forward.

Finding a Reliable Third- Party Partner

A regular security assessment, on an annual basis—or more frequently such as quarterly or semi-annually— will demonstrate if the changes that have been made within security since the last assessment have failed to meet the compliance requirements put in place.

Partnering with a third-party consulting partner can often be key to performing the number of assessments necessary to keep your organization secure, compliant, and up to a higher standard. It is important to have a third-party perform the assessment; if security is shown to be lacking, your partner should be able to deliver a plan that shows the gap analysis and the necessary remediation steps to bring your security back into compliance.

Recurring assessments are imperative to the ongoing health of a security and compliance implementation because, as soon as third-party consultants leave, things change, and you can’t be sure of your security level until your next assessment occurs. Regular assessment, with skilled and experienced third-party support, help to close the security loopholes present in most systems, keeping your data secure and your customers happy.

Leave a Reply