A security assessment gauges the risks facing a
network and is used to select potential solutions.
You can’t manage problems if you don’t know they exist, and you can’t manage successful execution if you don’t measure deliverables. A security assessment identifies a company’s technical and organizational security fallibilities. The goal of such an assessment is to gather information in order to create or revise security policies.
No “standard” security assessment exists. It’s a process that is custom-tailored to each organization. Templates, guides, and software tools are readily available to help conduct a security assessment for any organization, and consultants who specialize in conducting security assessments can also be hired. However it is accomplished, a security assessment will vary depending upon the security goals of the organization being analyzed.
Don’t confuse security assessments with security audits. In our opinion, these are two very different concepts. The term audit refers to an established compliance procedure used to satisfy legal or regulatory obligations. An assessment is an internal initiative used to create a baseline picture of a network’s security, usually for thepurpose of making improvements. It’s pointless for us to discuss audits here, because their requirements change based on the the industry, regulatory, and legal requirements. Recent historical events such as September 11, 2001 and the barrage of corporate accounting scandals have raised the bar significantly in terms of security requirements. Security assessments are something that every organization should periodically perform.
The above information is the start of a chapter in "Network Security Illustrated," published by McGraw-Hill and available from amazon.com, as well as your local bookstore. The book goes into much greater depth on this topic. To learn more about the book and what it covers, click here.
Below, you'll find links to online resources that supplement this portion of the book.