CMMI® Level 3 Rated
Skip Navigation Links
Skip Navigation Links.
Newsroom

Nov. 1, 2007 – Security Assessments: How Often and How to Get it Done

If you don’t know how secure your network is against intrusion, then your first step should be a security assessment.

By Justin St. Clair
Published in the St. Louis Small Business Monthly

Your business computer system has surely grown more sophisticated in recent years. Unfortunately, so have the hackers who try to break into networks to steal information or cause any number of problems.

If you don’t know how secure your network is against intrusion, then your first step should be a security assessment, according to Diane McClain, Program Manager for Cyber Security at The Newberry Group, Inc., a St. Charles-based global IT consultancy.

“They can get in and deface your Web site. They can get in and destroy your system,” McClain says. “If your systems aren’t secured, anything less than completely securing your systems can be a problem.”

McClain leads Newberry’s Security Practice and has 12 years of experience in security assessment and systems engineering as well as other areas of Information Technology. She says one method used among hackers, known as key logging, can have particularly devastating effects.

Using this method, hackers can record whatever is typed into your computer, whether it be bank account numbers, proprietary information, or other sensitive data.

“They can basically watch what you type in on the keyboard,” McClain says. “They can steal your identity, and with that they can get bank account numbers, social security numbers, and basically be you online. And you suffer the ramifications.”

The first step in protecting yourself from that kind of activity is finding out how secure – or vulnerable – you are.

There are typically three main steps that a consultant will take in a security assessment, McClain says. First, the consultant will assess the company’s security policy. Many companies set their own policies, often using guidelines from the National Institute of Standards and Technology, while industries such as health care and banking have their own strict industry regulations.

The policy review portion of the assessment includes learning what standards the company has set for itself or what standards the industry holds and finding out if they are followed.

“A part of that verification would be talking to employees and asking them about the security policy,” she says. “If they’re not aware that there is a policy or they don’t know what it is, there’s a red flag right there. End user awareness is the lynchpin to effective security.”

The company’s standards will also include how frequently a security assessment must be done. That can vary widely from company to company based on their size, their industry and any outside standards they might have to adhere to, McClain says. All companies should have a schedule in place, though.

The second step is to test the system, making sure that settings match what is in the company’s standards. This is usually the most technical and most important part of the assessment, McClain says.

In the third step, consultants will review documentation relevant to the company’s security standards.

“If you have a policy that says that ‘we will test our disaster recovery capabilities every six months,’ as assessors we will require the results of those tests to verify that they were performed,” McClain says. “If you say you’re going to do it, show me you did it.”

With the information gathered in those steps, the consultant can tell you how secure your company’s system is and what kind of actions might need to be taken to meet your standards.

Ben Horstmann of Korte Technologies, a part of St. Louis-based construction firm The Korte Company, says his company places a great importance on IT security assessments. He says the importance of frequent checks has certainly increased in recent years.

“Generally speaking they are done every three to six months,” Horstmann said. “Viruses and worms in the wild can infect computers in under a minute if left unprotected and unpatched. Methodically checking virus scan and firewall systems is critical in today’s environment.”

McClain says business owners often hold several misconceptions that keep them from getting security assessments, including: the cost is too high; the assessments are too complicated; only a specialist can perform them; and the bad things that can come from not having a secure system will not happen to them.

In truth, McClain says, it can happen to anyone, down to a home-based operation with a server in the spare bedroom. But businesses have a number of cost-effective options to assess the security of their systems, including self-assessments they can download and perform themselves.

“You’re compromising objectivity at that point, but at least you’re getting some kind of assessment,” she says. “It doesn’t have to cost a lot to have them done.”

What you can do to protect your system right now:
• Install all vendor software patches to your systems
• Back up your critical data and store it in a secure off-site location
• Train yourself and your employees to be security-conscious
• Develop a business continuity plan in preparation for a disaster or extended disruption