Consulting with a Conscience™

A cruciallogics blog

Written by Nim Nadarajah
on May 10, 2018

It’s not enough to set a compliant, secure system up once and forget about it. Standards morph with time and malicious actors update their methods to exploit new vulnerabilities. A safer IT department is one that takes the time to audit itself and adapt to evolving industry best practices.

Why test at all?

Testing isn’t free. It’ll take money, work hours, and you may need to partner with consultants to ensure you’ve got the right expertise. So why do it? Well, better you catch and correct an issue before a regulator does — or worse, before an unauthorized intrusion harms your business directly.

You’ll also want to stay on top of external compliance standards just as much as you should regularly ensure that your internal policies are being adhered to: you won’t know where practices have slipped until you go looking.

There’s a lot of stake. You can’t afford to take a lax approach to your IT security. You have to stay on top.

How to begin your comprehensive IT security and compliance testing

You’ll want to begin with an assessment of your current Security Design. If you don’t have one at all, you should make one, because having a plan in the first place and ensuring that the implementation matches the plan is the best thing you can do to keep secure.

Since you last reviewed your plan, have there been new compliance changes to incorporate? Have industry best practices progressed beyond what they were? Have new vulnerabilities been uncovered? You’ll need to be asking yourself these questions as you work through and identify both gaps in the design itself along with the gaps in implementation.

Subjecting your systems to a penetration test

Once you’ve reviewed and improved your systems, it’s time to make sure you did so effectively. A penetration test is an attempt to simulate the actions of an attacker and discover if it’s possible to break in. Executed by ethical hacking experts, if this test reveals that intrusion or damage is possible the lesson is there’s more work to do. Better it be found out and done now rather than after a real intruder accesses sensitive information.

How often should you test?

There’s no magic one-size-fits-all number that can tell you how often you should be testing. Some companies do it annually, some quarterly, some not at all.

You do want to do it more often than never, but it comes down to a question of risk versus resources. If you don’t actually deal with much sensitive information, and your previous testing revealed your security to be extremely strong, perhaps you can afford to go a little longer. But if your business relies on reams of personal data, you’ll need to ensure it’s held safely and look ahead to what you’ll need to do to meet new compliance standards — such as getting ready for GDPR. If you have a compliance officer, they may be able to assess an appropriate timeline themselves; otherwise, you should turn to an outside expert.

CrucialLogics has security and compliance expertise capable of taking you through a collection of assessments to the penetration testing stage. We've got a service specifically for providing assurance that your Office 365 deployment is safe and secure. We can also advise you on the scope and frequency of reviews: ensuring ongoing success. Learn more about our Assurance offering here.

The challenges never end for CSOs. But if you're looking at anything from a quick security consult to a full scale cybersecurity solution deployment, start here.

You may also like:

Cloud Strategy Security Advisory and Assurance

Cloudy with a Chance of Data Leakage Part I - Threats and Impacts

More than 60% of corporate data worldwide is stored in the cloud, and there are more than 40 zettabytes of data stored o...

Cloud Strategy Security Digital Transformation

4 Future Trends in the Digital World

As IT teams continue to deal with the chaos caused by COVID-19, they are also planning for a post-pandemic future. One f...

Cloud Strategy Collaboration Security

Simplify Identity Management Using Azure AD Connect

If your company utilizes both cloud and local environments, you don’t want your employees have to use separate authentic...