Security assessments are an essential ingredient to an effective and efficient company or organization security environment. Security assessments evaluate and analyze potential threats to the company enterprise as well as to the company employees and customers. Typically, recommendations and actions are identified to address any potential weaknesses found during the assessment. Security assessments can include network or electronic security threats and vulnerabilities.
These proposed services are offered based on client preference and typically include a combination of electronic security (information systems and operations/control systems) systems.
LogOn Consulting works with a client in an advisory capacity to assist the client to define the desired scope and objectives for a particular security assessment.
Self-Directed Security Assessments
Security assessments can be conducted in several ways with the most recent approach characterized by a substantial involvement by outside subject matter experts and consultants. Typically consultants will conduct the majority of an assessment and will call upon subject matter experts when the scope of work dictates. Our experience includes such assessments. Most recently, however, we have shifted our direction to help develop and define a new approach that concentrates on the extensive use of a company's internal resources and expertise to direct and conduct each assessment. Our clients are excited by the results and benefits manifest in this particular approach. This approach will be the focus of these proposed services offering.
Self-Directed Security Assessments: Process
Typically, we meet with key company stakeholders to assist in identifying assessment scope and define key objectives in an advisory capacity.
The results of this initial discussion results in a detailed work plan for the assessment. Included are internal organizational and functional participants and the desired make-up of the various assessment teams. An executive sponsor is identified. Such a senior level sponsor is not required but highly recommended.
Next, key deliverables are defined with a common set of templates (including scope, criteria, reports, etc.) developed and issued to participating teams and team members. Schedules are prepared and performance measurement and tracking systems established. Typically, a project manager responsible for overall assessment direction is selected along with any external subject matter experts.
External subject matter experts are usually available to provide advisory input to individual teams on an as needed basis. Such experts are also utilized to maintain appropriate levels of objectivity to the evaluation and analysis process attendant to a security assessment. It should be noted, however, that not all assessments require such external resources.
Schedules are developed with critical milestones identified. Deliverables are finalized including content requirements. A definitive plan for disposition of any recommendations is prepared along with mechanisms to track incorporation to completion.
In certain circumstances, performance measurements or follow up assessments are considered to determine effectiveness of changes implemented from a particular assessment.
Security assessments are a crucial element to any effort to develop or maintain an effective security program. LogOn Consulting recommends such assessments regardless of the approach taken. We believe there are inherent benefits to conducting self-directed security assessments.
- Company personnel have a broader knowledge and depth of knowledge. This knowledge produces a more finely tuned and clearer understanding of security vulnerabilities and associated solutions.
- Use of internal personnel provides a residual group of key personnel across company organizational and functional boundaries with greater security, sensitivities and knowledge. These personnel act as security advocates and security mentors within the organization increasing the long-term prospects of adhering to good security practices.
- Having a wide array of internal stakeholders participating ensures that recommendations that emerge from the assessment will be implemented in a timely and complete fashion.
- On going changes, refinements and greater security effectiveness is assured by a broad-based organizational approach.
- The detailed experience and knowledge gained during the assessment is retained within the company. Finally, the costs to conduct a particular security assessment are less than those conducted with extensive external consultants and personnel.
Each assessment conducted by an individual organization or company dictate the final schedule. However the following durations are typical for various types of assessments. The durations are from project kick-off through completion of assessment report.
- Electronic Security Assessment (information and operational): 8-10 weeks
- Physical and Electronic Security Assessments: 9-12 weeks
Self-directed security assessments can be utilized on any infrastructure industry and organization in the private or governmental sectors.
LogOn Consulting would be pleased to respond to any inquiry for security assessment services. We are highly flexible and can provide wide-ranging solutions to a particular client's unique set of programmatic or personnel (including subject matter experts) requirements.
John E. Allen