October 20, 2022
Security / Technology

Information Security Assessments – The Four Basic Types: Cyber Series Part 3

Written by Zach Sherf
InfoSec Assessments: the four basic types

Information Security assessments can provide businesses and organizations with a better understanding of security vulnerabilities. In part three of our four-part series on Cybersecurity, I wanted to cover the four basic types of assessments you’ll likely encounter. Hopefully, by the end of this post, you’ll have a better understanding of the assessment types, how they differ, as well as when you may use them in your business.

Risk Assessment: Likelihood and Impact Weighted Exploit Report

A risk assessment takes vulnerabilities and weighs them against two key factors: likelihood multiplied by impact. For example: technically there is a vulnerability that buildings face due to the impacts of a snowstorm in places like Southern California. The impact of these vulnerabilities is high, meaning these building infrastructures cannot handle the weight of the snow. However, because the likelihood is near zero, the overall risk is low.

A risk assessment helps companies understand where their actual risks are, not just their vulnerabilities. Think of it like a filter on what to focus on.

Penetration Test: Breaking In

Penetration testing, also known as “pen testing,” uses a combination of automated tools and personal expertise to break a system. Basically, you’d contact a professional thief and tell them to steal from you and then tell them to tell you how you can fix it.

The goal or output of a pen test is the identification of potential vulnerabilities, which you and your teams can use to put a plan together to make your systems and processes safer and stronger.

Vulnerability Assessment: A Detailed Overview of Potential Exploits

A vulnerability gathers data from multiple sources, including pen testing, automated scanning tools, and manual data collection, to give you a list of every known vulnerability. This information is especially useful but can be extremely overwhelming.

Think about if you asked for a list of every possible way to break into your house, including something as simple as someone drilling a hole through the ground to get in. It’s technically a vulnerability, so a vulnerability assessment would have documented hole drilling. Likewise, if you also conducted a risk assessment, it would let you know whether that was a high or low impact on the safety of your home.

Gap Assessment: Comparison of Current Risk Tolerance vs. Industry Standards

A gap assessment helps companies identify opportunity gaps between where they are today and where they want to be in the future, usually based on security compliance standards such as SOC 2, PCI, HIPAA, GDPR, etc.

Gap assessments help companies formulate a plan of action with the appropriate milestones required to achieve their compliance goals. This brings me to one final important aspect, but it’s not an assessment.

Attestation: Third-Party Verification

What is “attestation” you might add? An attestation refers to a third party verifying your compliance publicly. Companies seeking attestation to a specific compliance standard, such as SOC 2, are looking for a verified party to attest that they are meeting all the goals of that standard.

Someone at a verified security consultancy may be able to help at every point up until the attestation, however, to actually attest, you’d want to bring in an independent third party to say “We checked their work and can guarantee it’s accurate.”

This seal of approval is really valuable because it lets your partners and vendors – as well as your future partners and vendors – know you’re meeting security to a publicly held set of standards.

Where Do I Start?

So as a business owner or operations manager – where do you start? Well if you tuned in to part 2 of our series, you can’t secure what you don’t know! A great place to start is to contact a security partner to help give better guidance and ultimately put together a plan, likely that will include one of these four assessments we’ve discussed today.

And That Concludes Part 3!

Navigating the world of Information Security can be daunting – but it doesn’t have to be! Having the knowledge of the types of information security assessments that are available, the difference, and how they can impact your organization is a great first step to building a more robust and secure IT program.

This post is part three of a four-part series and our final installment will be coming out next week! To learn more about how Interlaced can help your business with IT support visit contact us today.

Zach Sherf

Zach Sherf

Zach is a data privacy evangelist and Apple fanatic. As Director of Cybersecurity, he works with both internal and external teams to drive the dialog around the ever-evolving relationship between people, security, and technology.