There are many IT services firms – including some run by friends and colleagues of mine – that perform something called “network assessments.” The purpose of these assessments, which are usually aimed at SMBs, is to determine the overall health of your network and computing environment, supposedly including security.
First, let me be clear that these are legitimate services to see where your network stands. That’s fine and dandy – a useful service indeed. The problem is that these network assessments are being pushed/sold under the guise of security assessments that, at least on paper, would compete with more in-depth security vulnerability assessments. But they’re not the same.
I saw recent descriptions of such services that claim to “check the security environment of your network” and “help ensure your sensitive data remains protected.” In discussions with my friends and colleagues, none of them have ever claimed to be security experts, yet they still offer these services. I don’t believe “in-depth security assessments” are their intent, but what exactly are such companies purporting to do? Many are just visual inspections or basic questionnaires and may incorporate rudimentary security scanning tools such as Microsoft Baseline Security Analyzer.
My point is: Be careful. Just because a network engineer “checks” your systems, recommends some software updates or network design changes, and ultimately installs a few new security products in your environment, don’t assume that you’ve had a proper information security assessment or that your information is truly secure. Your best bet is to determine what you want and then ask specific questions to help ensure you’re getting the deliverable you really need before you start the project.
Here are some information security assessment articles, screencasts, podcasts, and webcasts you can peruse to help you fine-tune your requirements the next time this comes up.
Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.