ORGANIZATION NEEDS TO BE IDENTIFY and address issues that may put them at risk. To do this, they perform security assessment, risk assessment, and security audits. While they are related, it is important to understand the difference between them.
- A security audit compares its results against a standard to determine whether the standard is being Third-party audits are often required for legal or contractual compliance, but internal auditors are also used by many organizations to provide oversight over their own efforts. Most security audits will determine whether the organization is in compliance with the standard they are auditing against but won’t track whether the organization’s efforts exceed it.
- Security assessments are used to determine an organization’s security posture. This means that assessors use standards as well as their own knowledge and experience to assess the strength and effectiveness of their security posture. Thus, all security audits are a form of security assessment, but not all security assessments are audits.
- Risk assessments provide a view of the risks that an organization Many risk assessments categorize risks by probability and impact and include details of findings and potential controls. Since risk is an important element in a comprehensive understanding of an organization’s security posture, risk assessments are often included in a security assessment.
Once an organization has completed an assessment or audit, it must prioritize the actions it will take in response. Most assessments and audits provide findings that need to be addressed, and organizations must analyze the gaps and issues based on their knowledge of the organization, its practices, its capabilities, and existing implementations, and then prioritize and plan which they will address and what order they will be handled in. Responses include deploying controls, remediating issues, transferring risk through the purchase of insurance, or documenting and accepting the risk. Each of these responses comes with a cost that needs to be evaluated compared to the improvement in security posture or reduction in security risk that it brings to the organization to make sure that appropriate actions are being taken.
After controls are put into place, they must be tested to ensure the problem is truly resolved. For example, an organization that is notified about a security issue with its website as part of a security assessment will not want to run the website with an insecure configuration, so it will identify possible controls and will select one or more of those controls to implement. Once a solution has been designed, the organization will test the solution, both prior to deploying it to ensure that it provides the security the organization is expecting and on an ongoing basis afterward as part of an ongoing security management effort. Only then can the organization operate with the confidence that the issues have been resolved.
