It’s not enough to set a compliant, secure system up once and forget about it. Standards morph with time and malicious actors update their methods to exploit new vulnerabilities. A safer IT department is one that takes the time to audit itself and adapt to evolving industry best practices.
Why test at all?
Testing isn’t free. It’ll take money, work hours, and you may need to partner with consultants to ensure you’ve got the right expertise. So why do it? Well, better you catch and correct an issue before a regulator does — or worse, before an unauthorized intrusion harms your business directly.
You’ll also want to stay on top of external compliance standards just as much as you should regularly ensure that your internal policies are being adhered to: you won’t know where practices have slipped until you go looking.
There’s a lot of stake. You can’t afford to take a lax approach to your IT security. You have to stay on top.
How to begin your comprehensive IT security and compliance testing
You’ll want to begin with an assessment of your current Security Design. If you don’t have one at all, you should make one, because having a plan in the first place and ensuring that the implementation matches the plan is the best thing you can do to keep secure.
Since you last reviewed your plan, have there been new compliance changes to incorporate? Have industry best practices progressed beyond what they were? Have new vulnerabilities been uncovered? You’ll need to be asking yourself these questions as you work through and identify both gaps in the design itself along with the gaps in implementation.
Subjecting your systems to a penetration test
Once you’ve reviewed and improved your systems, it’s time to make sure you did so effectively. A penetration test is an attempt to simulate the actions of an attacker and discover if it’s possible to break in. Executed by ethical hacking experts, if this test reveals that intrusion or damage is possible the lesson is there’s more work to do. Better it be found out and done now rather than after a real intruder accesses sensitive information.
How often should you test?
There’s no magic one-size-fits-all number that can tell you how often you should be testing. Some companies do it annually, some quarterly, some not at all.
You do want to do it more often than never, but it comes down to a question of risk versus resources. If you don’t actually deal with much sensitive information, and your previous testing revealed your security to be extremely strong, perhaps you can afford to go a little longer. But if your business relies on reams of personal data, you’ll need to ensure it’s held safely and look ahead to what you’ll need to do to meet new compliance standards — such as getting ready for GDPR. If you have a compliance officer, they may be able to assess an appropriate timeline themselves; otherwise, you should turn to an outside expert.
CrucialLogics has security and compliance expertise capable of taking you through a collection of assessments to the penetration testing stage. We've got a service specifically for providing assurance that your Office 365 deployment is safe and secure. We can also advise you on the scope and frequency of reviews: ensuring ongoing success. Learn more about our Assurance offering here.
The challenges never end for CSOs. But if you're looking at anything from a quick security consult to a full scale cybersecurity solution deployment, start here.