Implementing a Successful Security Assessment Process

The goal of a security assessment, (also known as a security audit or security review), is to ensure that necessary security controls are integrated into the design and implementation of a project. A properly completed security assessment should provide documentation outlining any security gaps between a project design and approved corporate security policies. Management can address security gaps in three ways: Management can decide to cancel the project, allocate the necessary resources to correct the security gaps, or accept the risk based on an informed risk / reward analysis.

Traditionally, security considerations have been merely an afterthought (at best) in project planning and throughout the project life cycle. A white paper published by Internet Security Systems emphasizes this reality, “from senior management to customers and suppliers, security is perceived at best as a necessary evil. At worst, it is an expensive and unwanted intrusion into normal business operations.” A properly implemented security assessment process can break down this perception.

A successfully implemented security assessment process in the enterprise can provide the necessary emphasis on security policy during the most important phases of a project – the planning and design phases. Furthermore, an increasing number of projects (especially those for companies engaged in e-commerce activities) require some aspect of security (authentication, authorization, etc.) as the key project enabler. As such, security requirements must be emphasized throughout the life of the project – from requirements and design, through implementation.

The purpose of a security assessment is not to determine whether a project should be implemented or not, but to provide the appropriate analysis against approved policy. This is an important notion from a customer service perspective. A project team should never be tempted to hide security issues or mislead the security manager out of fear that Security will cancel the project. Many projects may go forward with unresolved security issues because the potential reward absolutely justifies the increased risk. The security assessment simply identifies these risks and frames them properly so that senior management has a complete picture for making these risk / reward decisions.