There are many reasons why conducting a Security Risk Assessment is vital to the wellbeing and future of your organisation. Essentially, Security Risk Assessments allow you to identify, analyse and evaluate the security risks that face your organisation, its assets and its people. From here, you become better equipped to mitigate or address these risks. Without such identification and preparation, these risks may cost your organisation dearly in terms of data loss, bad actors, PR, compliance and more.
Additionally, by conducting an SRA, all areas of your organisation become responsible for and aware of the security risks they face. This leads to greater communication, collaboration, decision making and preparation from every corner of your organisation.
Security Risk Assessments are designed to identify security weaknesses within your organisation and to design an effective action plan in response. This ultimately strengthens your organisation, allows you to take ownership of your security and to allocate resources effectively.
Learn more about how Agilient conducts their Security Risk Assessments here.
We recommend that you conduct a Security Risk Assessment once a year, however other organisations may want to conduct them more regularly than this depending on the industry, size and services they provide.
Penetration testing, also known as pentesting, is an ethical attack conducted by security experts against an organisation that has requested it. The purpose of this attack is to determine how secure your network is by subjecting it to real-world cyber-attack scenarios, to get a complete understanding of your vulnerabilities.
The product of a penetration test is a detailed, well-structured report that outlines where the vulnerabilities lie and how they can be patched. Pentester’s will document all of their findings, including using diagrams or screenshots, and then suggest specific remedies and resources.
Penetration testing is an important element of an organisation’s security profile for a number of reason:
- Because it is often conducted without the knowledge of personnel, penetration testing gives staff a real experience in dealing with an intrusion and allows the organisation to test the effectiveness of its security policies;
- The reports and insight provided from a pentest will help to train general staff and developers in particular, motivating them to avoid mistakes and to predict attacks;
- Because penetration testers are trained to think outside of the box and to attack from all angles, vulnerabilities that were previously misunderstood or ignored may be better exposed through at attack;
You can choose to conduct a penetration test annually or on a more recurring basis. The latter may involve setting up a regular vulnerability assessment program, where segments of your organisation are tested incrementally, and your IT security initiatives are continuously analysed.
There are a variety of security compliance and regulatory frameworks that may apply to your organisation depending on elements such as its structure, services, policies or geography. Therefore, pinpointing and understanding your organisations specific compliance requirements – be they government mandates, industry watchdog recommendations or otherwise – is a vital step in your security mandate.
Again, many security compliance requirements are industry or service specific, but others can be broader. Examples include:
- The Australian Government Information Security Manual (ISM) – focusses on the protection of information assets and ICT systems from cyber threats using effective risk management frameworks;
- The Protective Security Policy Framework (PSPF) – assists Government entities by providing policy guidance and better practice advice for governance, physical, personnel and information security and may also apply to any non-government organisations that engage in business with government entities
- The Identity and Access Management Standards (IAM) – made up of protocols that address the transfer of authentication information and the protection of data as it travels through networks or between servers
- The International Organization for Standardization and the International Electrotechnical Commission ISO/IEC 27000 Series – these are international standards related to information security management
- The Payment Card Industry Data Security Standard (PCI-DSS) – these are global standards designed for any organisation that accepts credit cards, as it helps to protect consumers’ financial information
It is important to remember that when it comes to security compliance, there is no one-size-fits all as each organisation will have different requirements that apply to them.
Depending on the nature of your organisation, security audits should be conducted annually as they are capable of capturing a snapshot of your organisation’s vulnerabilities at that particular point in time. Therefore, if your organisation is going through more rapid changes, then you may want to consider more frequent security audits being conducted.
There are a variety of questions you may want to pose to your security consultants before utilising their expertise. Asking the tough questions before engaging a security consultant will help you to gauge their skill level and experience, to understand what it is they are doing and why, and to get a clear image of the bigger picture. Below are some examples of important questions to ask:
- What is your security consulting process and how did you design it?
- What do you need from us to fulfil your job?
- What are the most prominent risks facing my organisation now and in the future?
- Are our priorities right in terms of spending, resources and training?
- How does our security policies and systems compare to other similar organisations?
- What regulations or standards are important to my organisation specifically, and what is your experience with these regulations?
- How do I translate the technical outcomes you give me to my entire organisation?
- How do we know we’ve done the best we can in terms of security?
- What do we do next?