Properly protecting your business involves so much more than simply applying technical controls. For example security policies, procedures, and business practices that are tailored to the unique characteristics of your business are just as (if not more) important.
When an organization cares about their security – they seek to understand exactly what assets they are protected, what environment they have created to protect those assets, and what the risks are derived from allowing people access to these assets on a practical day-to-day basis.
This requires taking a holistic approach towards what is required from your security, how to best execute these requirements, and consider how the system will actually work in practice.
Computer security and network security are just some of the components employed in an overall IT security program. Computers are what allow a network or web service to function, while networks enable the communication and sharing of information and web services.
Thus computer and network security is about protecting your digital and physical assets from unintended or unauthorized access, modification, or destruction. When considered under the umbrella of “business security” – you must also account for what business and regulatory requirements are going to affect your daily operations, and ability to continue business indefinitely.
What a computer vulnerability assessment will look for may include:
- Analyzing, classifying, and prioritizing assets within the scope of the project.
- Assessing the hardware mechanisms used for protecting system assets.
- Assessing the suitability of technical controls that protect the system.
- Assessing how well the organization complies with regulatory mandates e.g. HIPAA, PCI-DSS, etc.
- Assessing how well existing security policies and procedures are protecting the system.
- Assessing whether existing security policies and procedures are being consistently followed.
- Determining what vulnerabilities exist within the system.
- Determining what threat vectors are capable of exploited identified vulnerabilities.
- Suggesting safeguards and / or countermeasures that remove or mitigate those risks.
Purpose of a Security Assessment Plan:
Information gathered from a security assessment plan – which includes computer, network, and business security – should be used to improve or ensure:
- The overall effectiveness of the organization’s security policy.
- That company policy is being consistently enforced throughout the organization.
- That the organization’s security systems are compliant with relevant regulations.