I’ve heard this question now several times, “What do you mean build a security assessment program? Do you mean build a security program?” My answer is consistently “no”. Your assessment program should be part of your overall security program, but they are separate (albeit related) initiatives.
So what is a security assessment program? Think of it as a high-level and holistic view of all of the sources of cyber risk to your organization. It considers areas like:
- Potential to compromise in Internet facing applications and infrastructure
- Internal hosts potentially being compromised
- Attackers potentially being able to move laterally and exfiltrate data
- Unprotected data publicly accessible (e.g. unsecured S3 bucket)
- Inefficient operational processes. For example, this could include the process to identify true-positives in your SIEM tool taking 30+ days to identify an incident
- Inconsistent patching processes across all platforms and software stacks
- Firewall rules not adhering to policy (or in the absence of a firewall policy, you could substitute “best practice”)
- Design and architecture decisions and applicable security requirements
- Vendor and third party management
- and many others…
You may have noticed that the first two items sound very much like a penetration test. That is correct. But the other items would only be identified through other means. Building an assessment program requires conducting threat modeling exercises, applying a variety of automated and manual testing practices, scheduling meetings and interviews with appropriate SMEs, and conducting tabletop exercises. All of the resulting data is then used to identify gaps and build a remediation roadmap and associated metrics.
This process is programmatic in nature since it is necessarily an ongoing process in an IT environment that continues to evolve. The artifacts of the program are the metrics and reports that indicate progress to closing identified gaps and the resulting increase in security program maturity (this is the link to the security program).
Now compare this to the standard annual pen test where many organizations stop. It’s like comparing a bathroom remodel to a gut-rehab on an entire house.