Best Practices
Security assessments will help answer the question, How do I know that my network is really secure? You can also track progress toward improving the security of your network by repeating a security assessment after you have addressed the weaknesses discovered in the initial security assessment.
The security assessments discussed in this chapter are very different: each attempts to assess different areas of security, requires special areas of expertise, and calls for different levels of investment from your organization. To ensure that the security audit you perform meets the needs of your organization, choose the appropriate security assessment. For example, conducting a vulnerability scan probably will not reveal issues with IT security policies and procedures, just as an IT security audit probably will not reveal that weak passwords are used on servers.
As with most IT projects, the major reason that security assessments fail is poor planning. To avoid this pitfall, take time during the planning stage to create a project vision and a scope to guide the security assessment. Do not conduct a security assessment without executive sponsorship.
To ensure that the security assessment results can be independently reviewed and reproduced if necessary, carefully document the methodology used to conduct the security assessment.