4 things to keep in mind as you prepare to go through your security assessment report
Security assessments conclude with your security adviser showing you what they found while they combed through your IT environment.
Your security adviser will gather all their findings and recommendations and put them into a report for you. This report is the basis of their final presentation where they show you what they found and what it means.
It’s no “Hitchhiker’s Guide to the Galaxy,” but it will take you through the problems and risk reduction techniques for your IT network — which is just as important. However, it takes more than a brief document to serve as a repository for all of this information.
At The KR Group, after we’ve completed the security assessment and present the security report, we find it helpful for our clients to keep four things in mind:
- Your mindset matters when receiving your security report.
- A likelihood chart is an overview of your assets’ risk.
- Risk ratings break down the vulnerabilities assessed for the likelihood chart.
- Each vulnerability is given a risk reduction recommendation.
If you’re considering a security assessment, an overview of these four components will prepare you for what you can expect as the final product of the security assessment. Likewise, if you’re awaiting your results, these areas will help you prepare for your results.
1. Your mindset matters when receiving your security report.
The best way to view the presentation of the report is as a way to help you be better security-minded.
Yes, the report will review your network’s vulnerabilities, but it also allows your security adviser to guide you toward a stronger security posture.
Think of the security assessment report presentation as on-the-job training. Your security adviser is trying to enhance your awareness as IT professionals by discussing the cause and solution to vulnerabilities instead of simply running through a list of problems.
A vital component of your security assessment is your perspective. You’ll make the most out of the report and presentation if you think of it as a learning opportunity instead of a lecture.
With the right mindset, you’ll get the most out of the next three important aspects of your security assessment.
2. The security assessment contains a likelihood chart to overview your assets’ risks.
To give you a visual idea of the magnitude of your vulnerabilities, the security assessment report includes a chart displaying your asset vulnerabilities.
The Likelihood of Security Incident by Asset chart is a quick glance of how vulnerable your enterprise resource planning (ERP), email, network infrastructure, file sharing, SQL, EDI, print sharing are to have a security incident.
Your security adviser uses the data they collect and analyze to calculate each asset’s security.
To quantify how secure an asset is, your security adviser assigns a score based on each security control surrounding an asset and calculates the likelihood of a breach incident. This information is then compiled into the likelihood chart.
The closer the likelihood is to 0%, the better that asset’s security posture and all possible security controls for that asset are likely in place and functioning.
The higher the likelihood, the more unfavorable the security posture of that asset, but it doesn’t mean you’re at immediate risk of a breach. It means you have a high number of deficiencies that create opportunities for successful attacks.
3. Risk ratings break down the vulnerabilities assessed for the likelihood chart.
By rating risks, your security adviser helps you prioritize the most critical security vulnerabilities. In other words, the risk ratings create a security to-do list for your company by assigning three categories to each vulnerability.
High-risk vulnerabilities should be addressed first and have the greatest positive impact on your security posture.
Examples of high-risk vulnerabilities are:
- A widely known or easily exploitable vulnerability detected during the assessment
- An active attack or malicious software
- The identification of an advanced persistent threat (APT)
- An identified user practice presenting an imminent or likely risk to the organization
- A production policy, process, or software/hardware solution posing an imminent threat to either recovery or downtime tolerance.
- A production policy, process, or software/hardware solutions posing a threat to the general ability to protect confidentiality, integrity, and availability.
Medium-risk vulnerabilities should be reduced as soon as possible, but aren’t as imperative as the high-risk items.
Examples of medium-risk vulnerabilities are:
- Deprecated or soon-to-be sunset security policies, processes, or technologies
- A practice or technology is in production that could be improved upon to bolster the ability to meet state recover or downtime goals.
Low-risk vulnerabilities do not pose an immediate danger to your IT environment.
Examples of low-risk vulnerabilities are:
- A positive finding on the current effectiveness of a security control
- An engineer’s preferential practice aimed at already working security control or practice
Under each risk level, the vulnerabilities are identified throughout the rest of the report by a red (high), yellow (medium), and green (low) color-coding system.
4. Inside the security assessment report, each vulnerability is given a risk reduction recommendation.
After listing your vulnerabilities by risk level, the report provides risk reduction recommendations, which is the next best thing to risk mitigation since we can’t always account for all the unknown threats in cyberspace.
By offering recommendations, your security adviser is providing a solution they’re confident will reduce the likelihood of an attack.
Explaining each risk reduction measure is what typically makes the report lengthy. It’s easy to glance over the likelihood chart or risk rating list, but going into detail of each vulnerability is more complex.
The benefit of crafting a security report this way is it’ll give you solutions to improving your security posture. By discussing them during the presentation, your security adviser transfers some of their knowledge to you.
The saying goes, “Give a man a fish and you feed him for a day; teach a man to fish and you feed him for a lifetime.”
In this case, your security adviser won’t just give you a list of problems to temporarily protect you. They’ll teach you how to address vulnerabilities and continually increase your security posture.
Your security adviser can answer your questions
To close out the report and the presentation, your security adviser will invite you to reach out to them if you have any questions.
It’s a lot to take in (both this article overview and the report itself). Your security adviser knows it’s likely you’ll have a list of questions pop into your head after you start to digest the information.
After your security advisers close out the presentation phase, they are still available for clarification about the likelihood chart, risk priorities, reduction recommendations, and the other components covered in the assessment report and presentation.
If you haven’t started the process of a security assessment but have questions, you are welcome to reach out to us for answers about our Hive assessments.