June 2008

Performing a risk assessment in-house will result in very different findings than an experienced outside firm that is dedicated to a full-time security practice like NCX Group. Many companies lack in-house security expertise, knowledge of regulatory compliance, reliable tools, and the years of tested methodologies to thoroughly complete the project. Then of course, there is the added labor-intensive “findings” documentation that needs to be written which specifies the potential risks discovered during the review process, as well as the review of current policies, processes and technologies to meet current security best practices. This is extremely important because in order for the assessment report to be a contributing factor to securing your business, it should contain the crucial elements of identified vulnerabilities and risks; such as why they are a risk, how to remediate them and in what order. And it needs to be presented not only from a technical viewpoint, but in business terms for

The depth, scope, objectives, and type of security assessment should help to determine whether you have the internal expertise and reliable tools to carry out your project. But there is so much riding on the results that even entertaining this option should be carefully considered by management. Most security experts will highly recommend that the person overseeing the project be impartial and independent of IT. This alleviates a conflict of interest or interference that can compromise the findings, and the business. Compare this process to an accounting department at a public company auditing their own books, or the fox guarding the henhouse scenario. By electing an outside firm, internal politics and relationships will not play a part in discovery. You will get an honest, objective and unbiased assessment that will stand up to scrutiny.

Another point worth mentioning is that companies need to realize that vulnerability-testing software allows an employee to explore company systems and test network security at will, with or without anyone knowing. Yes, many IT employees already have extended privileges, especially in smaller companies, but to what extent may they have gone unnoticed to roam sensitive data due to lack of oversight? Would you as an executive favor your information security vulnerabilities and processes being reviewed by someone who has the potential of being a bad guy? Take for instance, the senior-level database administrator for a subsidiary of Fidelity National Information Services who was accused of stealing and selling sensitive information on 2.3 million consumers last year. By not having the proper oversight, it opens the door to a dishonest employee finding holes and gaining access to information without anyone knowing. Oversight just makes good business sense. So the caution here is trust but verify.

An article this month called Alarming Number of Superusers Lurking Near Sensitive Data in Redmondmag.com refers to a study that revealed 47% out of 300 mostly senior IT professionals have at times accessed information not relevant to what they were supposed to be doing. They admitted routinely abusing their admin privileges by accessing company systems and snooping through confidential files, databases and documents. It states that “Among the confidential bits of information IT pros admitted to looking at were salary details, merger and acquisition or executive share-sale plans and initiatives, personal e-mails, board meeting minutes and correspondence, and other pieces of personal information.” Top management should know what admin rights IT staff has to confidential information within their company and ensure proper controls are in place to avoid any temptation of improper access. IT departments welcome our help because it’s their personal information that could be affected as well. If you are concerned about access parameters and don’t have the necessary oversight in place, it is best to hire an outside consultant to verify controls established.

As you ponder the thought of doing a security assessment in-house, consider the man-hours involved, the cost of appropriate software tools for performing tests, and the reliability or thoroughness of your results. It may well be worth the investment to work with an independent, non-biased third party like NCX Group. We can also prepare and instruct you on how to maintain a secure environment going forward.

A word of caution: If you choose to conduct your own information security assessments in-house, be prepared to defend your security-specific qualifications and experience as they relate to your assessment findings and recommendations. If personal identifiable information is involved in a breach, these will be a focus of the attorney general in your state.

NCX Group consultants have excellent qualifications. Information security is our focus and our rates are extremely competitive. Think about the effort and time you’ll be saving. And because we review with you every aspect of your security program, you’ll know you are on the right track to protecting your critical data. For more information about our services or for a free consultation on how our experts can help you secure your data at a price that will fit your budget, call us at 888-448-5451 or request a representative to call you.

NCX Group, Inc. is a leading information risk management firm specializing in the assessment and mitigation of risk associated with today’s technologies and business processes.