Skip to content

10-Step Security and Vulnerability Assessment Plan | ITBusinessEdge.com

August 16, 2010

A security assessment is conducted to determine the degree to which information system security controls are correctly implemented, whether they are operating as intended, and whether they are producing the desired level of security. A vulnerability assessment is conducted to determine the weaknesses inherent in the information systems that could be exploited leading to information system breach. Without security and vulnerability assessments, the potential exists that information systems may not be as secure as intended or desired.

A security assessment policy should apply to all information systems and information system components of a given company. Specifically, it includes:

* Mainframes, servers and other devices that provide centralized computing capabilities.
* SAN, NAS and other devices that provide centralized storage capabilities.
* Desktops, laptops and other devices that provide distributed computing capabilities.
* Routers, switches and other devices that provide network capabilities.
* Firewalls, IDP sensors and other devices that provide dedicated security capabilities.

Security and vulnerability assessments should be performed against all information systems on a pre-determined, regularly scheduled basis. While both security and vulnerability assessments may be performed by internal staff on an on-going basis, it is recommended that third parties should be retained periodically to ensure appropriate levels of coverage and oversight.

Info-Tech Research Group has developed the following outline for conducting a thorough assessment.

You can also download their Security Assessment Policy at no cost from the IT Business Edge Knowledge Network here:

http://www.itbusinessedge.com/cm/docs/DOC-1985

One Comment leave one →
  1. August 17, 2010 12:24 am

    Many people do security assessment and vulnerability planning without considering the implications of a compromise. Here is a table top exercise that people can use to determine the effectiveness of their planning efforts:

    http://misterreiner.wordpress.com/2010/06/02/cse01/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: