Having recently completed a fairly comprehensive security assessment for a large financial services client, I thought I’d share the general approach we took to breaking it down into manageable chunks.

This is not an exhaustive list by any means as it was tailored to the client’s needs, but hopefully this will assist anyone trying to define the scope of a security review and maybe you’ll find a few points in here that you might not have thought about.

Security operating model

  • Security governance & control processes
  • Accountability, roles and responsibilities
  • Vendor and 3rd party support and interworking
  • Skills requirements and key people dependencies
  • Risk management & associated process
  • Contractual obligations of outsourcers (identify gaps)
  • Acceptance into service processes

Security architecture & design

  • Architectural principles and standards
  • Architecture governance
  • Review complexity of security estate to look for simplification opportunities
  • Ensure architecture is fit for purpose
  • Ensure deployed systems are working as designed
  • Review design parameters against best practice and vendor recommendations
  • Technical security controls
  • Service design
  • Build standards

Incident management and support

  • Incident management & escalation process
  • Are there appropriate security run books in place?
  • Third party escalation process

Change management

  • CAB, TDA and other sign off processes
  • Business notification process
  • Tracking changes

Security device monitoring

  • Are the right parameters being monitoring?
  • What else can/should be monitored?
  • Device capacity: CPU, traffic levels, memory etc.
  • Reporting of the above: content, frequency, format
  • How is monitoring undertaken?
  • Ensure device configurations are correct & tested

Asset management of security devices

  • Device health checks, early warning processes
  • Software levels & patching
  • Licensing
  • Lifecycle engineering
  • Hardware and software test and certification process
  • IPS signature management
  • AV updates

Following the assessment you can then work on building a target end state for your security organisation. For each area assessed you should define what leading practice looks like for your particular business needs.

Once you’ve worked out what your end state looks like you can perform a gap analysis and then develop roadmaps to define how you will get from where you are to where you want to be. At a minimum your roadmaps should contain the following things:

  • Short, medium & long term activities
  • Accountability & ownership
  • Key deliverables & milestones
  • Review mechanism