The Federal System’s Need for a Security Assessment Process, Part 2: Categories of Security Assessments

Security assessments can fall into many categories and an organization’s core competency often dictates which ones management is more interested in conducting. For example, an organization that has an external presence may be very interested in how they appear to the outside world and how well they are protecting their internal resources from external entities trying to harm them. Whereas, another governmental institution maybe more concerned with their internal security posture and controls as compared to how they appear to the outside world. They may have a pressing need to verify internal access control, password compliance and proper network segmentation as opposed to what protocols are accessible from the public network. The actual type of assessment performed usually depends on the organization’s mission as well as their overall security need.

In addition, the availability of suitable security assessment equipment, technical skills and resources available to the agency plays a big part as well. Such security assessment categories include the basic security assessment, an in-depth security assessment, external vulnerability security assessment and the internal vulnerability security assessment.

Whether the assessment is conduct by internal organizational employees or outsourced through an external contractor, the results from each assessment category will provide insight to verify the level of security on network resources. The following security assessment categories have been further defined below.

Basic Security Assessment – The objective of a Basic Security Assessment is to give the agency a fundamental understanding of its security posture as a whole in three key areas: Administrative, Physical and Technical. It is meant to point out possible areas of weakness with a walk through of the facility and a briefing at the end. It is not an in-depth study, rather, a basic first step in protecting information.

In-depth Security Assessment – The In-depth security assessment is a comprehensive study of the security of the agency. An examination of all policies, procedures, hardware and software configurations, workstations, servers, websites and mail servers are examined. The results will then be presented via a written report of the findings. This type of assessment will provide the agency with a thorough understanding of how it has complied with FISMA regulations.

External Vulnerability Security Assessment – An External Vulnerability Security Assessment will test the agency’s network from the outside in respects to a “hacker’s point-of-view”. Often the assessor uses the same tools used by external malicious individuals to try to compromise a network.

Internal Vulnerability Security Assessment – This type of assessment occurs inside the organization’s network. It is essential in understanding how and why hackers, viruses and worms spread so quickly through an organization once a breach has occurred. The results of this assessment can aid in providing additional measures to prevent an incident from spreading to critical areas. The same tools used in the External Vulnerability Security Assessment are often used in the Internal Vulnerability Security Assessment as well for real world simulation and accuracy.

Read the rest here.

Read part 1 here.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.