Systems and services are in a state of constant change. That's why it is important to develop a baseline of your financial organization's current security posture and to prioritize the greatest risks as the environment changes and services expand.
Enter vulnerability assessments.
A vulnerability assessment is a process of identifying, quantifying, and prioritizing the security risks that are present in an institution's environment at a point in time. Most people associate vulnerability assessments with measuring the security of the infrastructure or application assets, but it can also be about anything that leverages or utilizes those assets. Phone systems, data centers and business processes can all be candidates for vulnerability assessments since they directly interface with the most crucial systems in an organization. Vulnerability assessments can also help accurately gauge the way changes can alter an expected or assumed security posture, which is important in prioritization and budgeting remediation efforts.
There are many important elements that influence the design and implementation of a vulnerability assessment. The success of the assessment will hinge on having a healthy discussion about and decision on each of the following steps:
Understand the consequences of an exploited vulnerability
This is a critical area to explore and gain consensus about prior to conducting or contracting a vulnerability assessment. Partner with the senior leaders, legal team and compliance team to build awareness and reach a decision as early as possible about the possible dangers of certain vulnerabilities.
Document and communicate senior level buy-in
Do not let a vulnerability assessment come as a surprise to the senior leadership. Take the time up front to ensure you have their approval and sponsorship prior to starting the work. Assist them in understanding the goals and objectives of the assessment and how it will target expenditures and improve the organization's security posture. Retain records of important decisions that have been made and communicate the sponsorship appropriately.
Internal core competency or external third party?
Determine if vulnerability assessments are a core competency of your organization or if they should be done by an external party. There is a balance between being cost-effective and having a truly independent review of the target. If auditor neutrality is important, make sure to develop a contract that will protect the organization's interests and maintain the security of your information during the engagement. A vulnerability assessment in the hands of the wrong person can be a significant risk to an organization. By mandating encryption of all electronic communication and deliverables, it's possible to manage dissemination of the assessment findings.
Develop manageable attack vectors and objectives
It is easy to select a target or process that may need to be reviewed, but it is also easy to go too far and try to boil the ocean. Select a point of interest and develop a clear set of objectives in order to build a conclusion. The attack vectors should outline the tests that will be conducted and what the reports of those tests should include based upon that plan. If there are multiple interests involving a specific target or process, break it into manageable pieces and contain the tests to the defined scope.
Determine method and communication levels used
There are two basic methods and three communication levels that can be combined to produce an effective and meaningful assessment. The two methods of testing are a general assessment and a targeted assessment. The general method is best used for a first time assessment and covers a wide range of assets; it can provide a high level baseline and help demonstrate specific areas that will require a more in-depth assessment in the future. A targeted assessment is a very specific view of select assets that can dive much deeper into the system or process to get a more accurate measurement of its particular security.
Assessment communication is also an important decision that should be made and combined with the assessment method. The three levels of communication are silent, loud and hybrid, and can have a dramatic impact on the assessment results and effectiveness of the tests. The silent level consists of telling no one (other than senior management) when and where a test will be conducted. Loud and hybrid levels provide some form of notice that a test will be conducted, but notice may be limited to a select few in order to prevent behavior changes during the test time. Each level has pros and cons that should be discussed and agreed upon prior to conducting a test.
Plan for disruptions
One of the hardest aspects of designing a successful vulnerability assessment is managing potential outages or disruptions to the business, especially when using a silent communication level. The best recommendation is to prepare by understanding the assets or process being tested. Tests that may exercise human discretion need to be monitored or tracked until the objective is complete.
Build the right deliverable for the intended audience
Vulnerability assessments tend to be on the technical side, especially if the assessments are conducted on infrastructure or applications in the environment. Determine the audience and the message that you need to convey to present the findings in the most impactful, yet understandable, way. A CEO may not care to hear about particular exploits but he or she will be interested to learn that certain protected types of information are easily accessible, so err on the side of understandable risk language. In addition, it can be helpful to present, but not rely on, industry measurements regarding risk and recommendations. This will leave room for you to include your organization's language of risk as the measurement of choice.
Vulnerability assessments can go a long way in helping an organization learn about risks it faces and develop a baseline on areas that may be considered black boxes. A vulnerability assessment, at best, is a way to measure and maintain the best security possible for your organization. By leveraging the steps outlined above, you will be on your way to doing just that.
About the author:
Rick Lawhorn, CISSP, CISA, has over 18 years of experience in information technology, which includes an extensive security, compliance, privacy and legal background. Rick has served as the Chief Information Security Officer (CISO) for GE Financial Assurance, Chief Information Security Officer (CISO) for Genworth Financial and served in information technology leadership roles within Hunton & Williams law firm and the National White Collar Crime Center. He has been published in numerous international and domestic security magazines and currently serves on several advisory boards for new, innovative security products. He can be reached at rick.lawhorn@mac.com.
