Security Risk Assessments, Security Audits, Reviews & Gap Analysis
Security risk assessments are essential for discovering risk and defining appropriate mitigation strategies that fit your company’s objectives. There are two components to security assessments: 1) Security Reviews (often called security audits) provide a complete process for defining security risk strategies based upon your objectives, security posture and status and 2) Security tests such as penetration testing, vulnerability testing and phishing tests which diagnose actual vulnerabilities in specific areas of your security infrastructure.
Security Review & Gap Analysis (Security Audits)
The most important part of security assessments is the security review & gap analysis. It is the glue that ties the entire security risk assessment solution together. As with security audits, there must be a process for assessing a company’s risk profile. In a security review, we review your key assets, current security strategy, controls and, IT infrastructure and prioritize your top vulnerabilities, risks and recommended security control solutions. The resulting report is suitable for defining your future security strategy, defining budgets and the order to implement security risk mitigation solutions.
Vulnerability Scanning, Penetration Testing and Other Security Assessment Tests
Security assessments tests diagnose actual security vulnerabilities by testing specific areas of your security infrastructure. They can be performed with or without a Security Review. Each test has separate goals and a different process, but all are designed to identify security vulnerabilities and to assign a probability of occurrence so that a plan can be defined related to controlling that security risk. Consult your security expert to determine which tests might be appropriate for your environment.
The most common security tests used in security risk assessments are network vulnerability scanning tests and network penetration testing. These tests can be used to test external networks, Websites, Web applications as well as internal networks. Other security tests include wireless security, VOIP security, Phishing tests, security configuration testing and physical security tests.