The main component of risk management, integral to maintaining security and compliance as well as holding on to the certifications that you’ve worked so hard to achieve, is cybersecurity assessments and audits. What are they? Are they interchangeable? Are they all necessary processes? Do you want the one or the other? Can Bob in IT be left to handle it or do you require independent third-party assistance? These assurance terms are often used interchangeably but are different activities.
Choose the right assurance practices and the right people for the job
When trying to determine whether your organization’s cybersecurity posture is up to scratch or whether your organization is meeting the requirements of a security standard, you’ll contemplate the different assurance actions to take — a gap analysis, risk assessment, various IT tests, cybersecurity audits, and so on. These are all fundamentally important activities for continual security improvement and assurance.
A cybersecurity audit program has a purpose, but it is not the only answer to every assurance demand. Cybersecurity assessments and tests are also a vital part of the compliance journey and security program. A lot of the time, audits alone may not reveal the comprehensive value of the security controls your organization has in place, so utilizing other assessments and tests as well, is necessary. Depending on what you are trying to achieve, different activities will take center stage. To improve your security posture there are many assurance activities available aimed at identifying weaknesses so that improvements can be made. However, if you require independent third-party verification for a particular standard or for regulation purposes, a specific security audit is likely needed.
Another very important aspect relates to the people that you choose to execute these assurance activities. The quality of these activities is directly related to the quality of the individuals performing them. So, if you are expecting quality outcomes you need to employ the right people for the job. Choose your assessments as well as the people performing them very carefully to achieve the best results.
Commonly used compliance assurance practices
Audits are the more formal of all the assurance activities. They are primary methods for verifying compliance. It’s an evaluation of something (an organization, product, system, etc.) against something else (a specific standard) to formally validate that the precise requirements are met. There are two types of audits, external and internal.
With regards to an external cybersecurity audit, the organization’s information security position is assessed against a recognized standard that is both auditable and certifiable. A leading standard that is both auditable as well as certifiable is ISO/IEC27001. Using this standard, an accredited auditor can assess the organization’s information security function to ensure that the organization is complying with the specifications as laid out in the standard. Specifications include considerations for obligatory policies that must be adhered to, documentation for processes and procedures that must be present and properly communicated and continuously applied within the organization.
If the organization successfully displays compliance with this standard and passes the assessment process (the audit) certification (or renewal of certification) is the likely next step.
Certification is usually only valid for a predetermined period, after which an organization must display compliance again to keep its certification. This ensures that security is continuously maintained and that the certification can keep its value and recognition. So, an audit can include periodic visits to verify that effective implementation of the requirements continues for the long term.
An external audit is formal, it involves an accredited independent third party (so, Bob will not do). It can be costly. Additionally, it’s often a laborious process for all parties involved as it is undertaken across all departments. What’s key to an external audit is it that it must be an independent authority doing it and it must be done against a recognized auditable standard. That is why it holds so much value.
An organization may perform an internal audit for various reasons (an internal audit can be less costly and perhaps quicker). An internal audit can help to determine the organization’s degree of compliance with the requirements of a specification or to determine a baseline to measure improvement for future audits. Often internal audits are performed as practice runs before an external audit.
It’s important to realize that although audits often include certain assessments like gap and risk assessments as part of their process, an audit and an assessment are not the same. An assessment can be performed internally (by Bob!) and can cover one particular area, whereas an audit considers all aspects of an organization’s security and is mostly done by an independent professional. An audit is to validate and the outcome is usually a pass or fail.
You need a cybersecurity audit when…
The external audit is mostly conducted to comply with various industry regulations. As a trusted organization you’ve likely designed and applied cybersecurity policies, communicated and educated your employees regarding these and ensure that these practices and policies are continuously revisited and maintained to ensure the digital assets you process are always protected.
The cybersecurity audit provides another level of assurance. It is a means to check and validate that what you’ve documented in your policies is applied and to check that you have enforceable controls in place to ensure your policies are correctly applied continuously across the entirety of your organization. While an audit assesses compliance, it also identifies areas of noncompliance and where standard’s requirements have not appropriately been met. In this case, remedies may be given so that adjustments can be made and further controls can be introduced so that compliance can be met.
Generally, an assessment is the process of gathering and evaluating information to understand a situation (people, process, and technology) and to make informed decisions based on that. It’s not verifying something (system or product) against something else (a standard) that results in a pass or fail outcome but rather assesses a situation to set future direction and to help demonstrate a way to move towards achieving a goal.
You need an assessment when…
An assessment is needed when verification against a standard is not required or is not possible. Not all security frameworks are certifiable or auditable. Where an audit is not possible, an assessment can assure you that you are looking for. An assessment can be used to determine if the organization’s practices align with best practices. An assessment can compare the current position against a predetermined goal, rather than against a standard, and can determine how mature an organization’s security is. It can help to find weaknesses and vulnerabilities so that corrective measures can be taken. It can help to better manage risk.
Types of assessments
A gap analysis is a way to compare current performance with potential performance — where you’re at and where you’d like to be. The gaps are the means of transformation. A gap analysis in cybersecurity is used to assess to what degree an organization observes information security practices.
A gap analysis report usually summarizes the gaps, the areas where requirements are successfully being met and offer some advice on how to close any gaps to meet the requirements that are not being met. Mostly, it is used when the organization wants to determine existing holes in its security so that they can fill those holes to move closer to achieving their security goal. It can be performed by internal resources.
You need a gap analysis when…
A gap analysis can be performed at any time. However, it’s often performed in the initial stages of developing a new process. So, any problems can be picked up and addressed early on. Often, a gap analysis is done at the start of the compliance journey and is usually undertaken so that the organization has an idea of where it stands in relation to a standard or set of security requirements that it’s trying to fulfill. This approach is to uncover the gaps so that the organization can take actions to close them. It is not an audit but may be used as part of an audit process.
A risk assessment is used to assess how effective the organization’s controls (technical and management) are at reducing the cybersecurity risk. It is a high-level overview of technologies, controls, and procedures and is undertaken to identify, evaluate and estimate the level of risk involved and to determine the level of risk that is acceptable. It is not the same as a gap analysis. It can be an internal self-assessment (so, Bob may be able to undertake this one if he has the skills to do so!) However, an independent third-party (consultant) can be instructed to do it too. As the gap analysis, it is not an audit.
The assessment involves collating a data asset registry of all critical assets so that the infrastructure, applications, and services can be evaluated with this in mind. Risk is integrated into the decision-making process when building a defense strategy, so it must be known so that suitable governance, monitoring and security actions can be applied.
You need a risk assessment when…
A risk assessment is needed when you want to assess the level of potential risk from people, process and technology and the impact it may have on your organization. A risk assessment is a good means to highlight current threats, where your systems are vulnerable and the potential of exploitability. It should also enable you to assess the effectiveness of your controls and the risk potential or the impact of the risk.
An organization should periodically (annually, at least) conduct a risk assessment and perhaps more often, especially when IT environment dynamics change. This is not mandatory, but best practice so that an organization can keep on top of any risk associated with their environment. So, measures can be taken to properly manage the risk with a suitable risk-based cybersecurity plan.
A vulnerability assessment should not be confused with a risk assessment. They are different. A vulnerability is a weakness in a system or application that can potentially be exploited. Risk considers much more than vulnerability as it includes any actions that may impact the organization’s risk level, not only a vulnerability in a particular area. A vulnerability assessment mainly focuses on discovering if the vulnerability exists and how to fix it and does not reflect the risk impact.
Risk is not always related to vulnerability. Even without a vulnerability an organization still has risk. So, unlike an extensive risk assessment, a vulnerability assessment aims to locate a security vulnerability, so that the organization can address it specifically.
Tests can be done internally by staff, but when done by an independent source the results hold a higher level of credibility. A common security test is a penetration test. For this test, a network is subjected to existing attack methods by the tester. To see how an organization’s system handles common attacks. It is by no means a complete test of security and controls, but it is an additional way to investigate an organizations security posture at a moment in time.
Assessments always remain a critical part of your security program
If you’ve decided that certification is not a top priority for your business or if you have an audit pending or, whether you have just passed a security audit and received the validation that you are compliant with a particular standard. No matter where your organization is on this compliance spectrum, different assessments will always have a role to play. It may not be a full-on external cybersecurity audit that you require — although they do have a purpose. Having said that, this doesn’t mean that you do nothing!
No matter where you are on your compliance and cybersecurity journey, assessments play an integral part. I’ve only scratched the surface here, there are so many more! Be sure to involve the right people. People that can demonstrate they have the experience and skills to undertake the assessments that you need.
Evaluate your organization as a complete unit (see the big picture) to understand the current state of your security so that you can understand where you are and where you need to be.
Know what is required of your organization, be it sector-specific practices, regulatory compliance or beneficial practices. If you know what you need, you will know which assurance practices to utilize and when.
All types of assurance activities, either handled “compliments of Bob” or by an independent third-party, are beneficial.
On the last note, remember, even if you’ve been successful in an audit, continue to use routine security assessments and testing to keep on top of your security. After all, in no time at all the auditor will be back for a follow-up visit and your organization will need to be ready, because if it’s an audit you’re after — it’s either a pass or fail!
Featured image: Pixabay