Part 1 of this article appearred in the November 2017
issue of Compliance & Ethics Professional.
In the first article of this series, I described the role of maturity assessment as a part of a robust
security program. Following a maturity
assessment, which defines how
capably management desires a
program to operate, a security
assessment identifies the risks
to organizational assets, based
on particular threats and
vulnerabilities. This test serves
to determine the probability of
a threat being realized, assesses
current controls, and calculates the
residual risk that still exists in spite of
these controls. Security assessments are
a subset of an organization’s overall risk
Following a maturity assessment
that defines management desires and
expectations and a gap assessment that
communicates the differences between an
organization’s current and desired security
posture, a security assessment helps
establish security governance by providing
an independent check on information
technology staff, increased awareness of
security risks and threats, and prioritization
of IT spending for the purposes of risk
mitigation. It also provides the basis
for a comparative annual analysis of an
organization’s security program.
At this point, it may be surprising to
think that penetration testing is separate
from the security assessment phase
of developing a strong cybersecurity
policy. The security assessment is a
preliminary step that ideally occurs
before a penetration test, as the likelihood
The components of strong
cybersecurity plans, Part 2:
» Maturity assessments lay the groundwork for cybersecurity programs and allow management to establish desired
improvement in comparison to current capabilities.
» A security assessment helps establish security governance by providing an independent check on information technology
staff, increased awareness of security risks and threats, and prioritization of IT spending for the purposes of risk mitigation.
» A security audit focuses on the completeness, design, implementation, and efficacy of internal security controls.
» Vulnerability scanning is an ongoing process in an organization that is both offensive and defensive depending on its use.
» Ultimately, a penetration test is only a fraction of developing a strong cybersecurity plan. However, these tests are frequently
needed for compliance with regulations that set the minimum requirements for cybersecurity programs.
By Mark Lanterman