Security Assessment by CIT

Security Assessments Through CIT

Operationally Critical Information Asset Assessment            

OCTAVE (Operationally Critical Asset, Threat, and Vulnerability Evaluation) is a process by which CIT focuses on the protection of the information assets of your organization. It begins with defining the areas of most detrimental impact in the case of an information-centric security event. For example, some organizations hold that the loss of good reputation in the case of an attack would have the most negative impact, so that would be listed first in priority. That information is then used to define and measure the risks against the organization’s information assets. Each asset has its own level of exposure and risk which is then compared with the technical findings to define acceptable risk tolerances and exposure factors for each asset. This then leads to a prioritized list of risk mitigations for each asset. Ultimately, the goal of OCTAVE is to turn the goals of the business into technical practices to help those goals through the protection of information assets.

Cybersecurity Risk Assessment            

A cybersecurity risk assessment is a process done with the goal of seeing how your organization’s cybersecurity practices compare to a trusted security framework. This allows for both CIT and your organization to have quantifiable and verifiable scoring of the policies, procedures, and implementation of cyber practices in your organization.

It begins with understanding the information assets of the organization. What information do you have? Where is the information? Who has access to the information?

Questions like these allow CIT to gain an understanding of what your organization is trying to protect. An interview follows with IT staff as well as executives in order to gain an understanding of both the technical side as well as the asset side of your system setup. A look at the controls and policies of your organization then allows CIT to test even further. The result is a prioritized list of findings with their risk factors to the company. By looking at attacks on similar organizations within the field as well as the organization’s information assets, CIT can provide you with a roadmap of how best to prioritize the implementation of cybersecurity practices within your system.

IT Systems Audit            

The goal of an IT systems audit is to look at your organization’s IT department in terms of accomplishing the goals of the business. Many organizations do not have a great understanding of what they need for their business objectives, so an audit allows CIT to help determine just how much IT your organization needs as well as what IT systems the organization should utilize.

Additionally, CIT will look at your organization’s current IT setup to gain an understanding of where your IT is at currently. This includes many different things such as determining if your system is set up correctly, if your programs are configured correctly, or if you have all of your software properly implemented (many people just click through the setup instructions for software without reading through what they’re doing, which can lead to trouble down the line). All of this combined helps CIT as well as your organization create a better picture of just what your IT setup looks like and what it should look like in the future.

Vulnerability & Exploitability            

This process is similar to that of a pen test, but is much broader in nature. This assessment finds vulnerabilities in the system and determines if the vulnerabilities are exploitable. If they are, the next step is then to determine if there are controls in place to cover these vulnerabilities. For example, some organizations utilize old versions of Windows in order to not break their system. Older versions of Windows are much more exploitable than the more recent ones. But these organizations can put controls in place in order to cover their vulnerabilities so that they can’t be exploited. This assessment ultimately boils down to looking at patches and policies as well as the software and hardware environments of the organization.

Penetration Testing            

A pen test, at its core, is a technical evaluation of the exploitability of a system. This kind of test is great for narrowly-defined system-level exploitability. Thus, pen tests are most successful when a scope is defined, which means determining what is most important for the organization. Pen tests usually entail trying to gain illicit access to a system. Once in the system, what the “attacker” does is determined by the scope of the test, but most often this includes getting credentials and gaining access to information on the system.

However, pen tests do have a limit. Due to the increased dynamism of software patching, some exploits of software that are used in a pen test are patched shortly thereafter, which can make some of the findings of the test less relevant. Therefore, pen tests are best when used in combination with these other assessments.

CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.

CIT

Written by Michael Honrine

Comments are closed

Learn More
error: Alert: This Content is protected!