5 Minute Security Assessment

A security assessment is a big deal. It takes a lot of time, requires a good chunk of budget since it is done by independent consultants and the outcome is at best 'OK, but could be better'.

For all these reasons, as well as some egoistic ones which won't be mentioned here, a lot of companies avoid hiring a security consultant and doing this assessment.

While the real thing may take time, budget lobbying and guts to admit that you are not perfect, here is a very fast self-assessment which will give you a feeling where are you standing. You can do this assessment on your own time, and no one needs to know the outcome.

Assessment instructions
Answer each of the questions truthfully with a yes or a no. If it is partial, write it up as a no. For each answer add appropriate number of points to a total score (indicated on each question). After finishing with all the questions, sum the score and find the appropriate assessment result depending in which interval your score fell.

Assessment questions

  1. Do we have a firewall active at all ingress points of the network? Yes - 5 points, No - 0 points
  2. Does our team control all firewalls? Yes - 5 points, No - 0 points
  3. Do we have the following basic technical policies in place? Add 1 point for each policy in place
    • password complexity
    • password retention
    • password history
    • logon hours
    • controlled registry editing
  4. Does everyone in the organization have their own individual and unique username for all activities? Yes - 5 points, No - 0 points
  5. Do we have logon/logoff auditing active on all servers and stations? Yes - 5 points, No - 0 points
  6. Do we have a testing environment for patches, new versions and new software before it is rolled out into production? Yes - 5 points, No - 0 points
  7. Do we have written procedures for regulating the above questions as process? Add 1 point for each procedure in place

Assessment results
  • 30-36 points - Very good security posture - You have the basics of a great security governance. Continue developing in both the procedural and technical levels of security.
  • 20-30 points - Acceptable security posture - You are lacking in written procedures and change management, but basic technical security is at a good level - you need to work harder on formalization
  • 10-20 points - Basic security posture - Very basic security, lacking in any formal process of security, and also probably missing elements in auditing, ingress path control and technical policies. You need to go a long way, and you should have started yesterday!
  • 0-10 points - Disaster waiting to happen - So you have firewalls? Really? And maybe you've even plugged them in? Hire a good security expert - after firing your current one and start getting somewhere

Talkback and comments are most welcome

Related posts
Quick and Basic Security Assessment for Databases
WMI Scanning - Excellent Security Tool
Tutorial - Using Ratproxy for Web Site Vulnerability Analysis

No comments:

Designed by Posicionamiento Web