SoS: get insight in your risks and overall security

Blog by: Saskia de Cloe

WHAT IS A STATE OF SECURITY ASSESSMENT (SOS)?

The SOS, State Of Security Assessment, is an integral approach to identify the current state of security within a company. It allows organizations to evaluate their current level of security. The assessment will help an organization to evaluate their maturity security level. Typically, a SOS is a way to get insights in the key steps to improve an organization’s maturity. But they are also considered after an incident or to get a cyber insurance.

Northwave combines a series of activities, such as an analysis of documents, interviews and technical tests to determine the state of security. These activities focus on information security within the organizations’ policies, processes and work agreements (business), the technical measures (bytes), and the employees expected behaviour (behaviour). Additionally, the assessment focusses on Privacy, and the ability to manage information security. The framework of the assessment applied mainly by Northwave is based on ISO27001, GDPR (General Data Protection Regulation), NCSC recommendations (National Cyber Security Centrum) and Northwave’s expertise and experience.

HOW DOES STATE OF SECURITY ASSESSMENT HELP TO INCREASE THE SECURITY OF A COMPANY?

As part of the assessment, Northwave formulates an expert opinion and actionable advice with which an organization can take the next steps to improve their information security. The result of the assessment is a combination of the risk exposure (the measure of potential future loss resulting from a specific activity or event), and a roadmap.

The assessment and the actionable advice in the form of a roadmap will provide the organization the insight in the potential risks and the needed measures to reduce these risks.

WHY IS TAKING STATE OF SECURITY ASSESSMENT IMPORTANT?

Defining the state of security is the first step to improve the information security. When taking adequate pragmatic measures an organization gains control over their risks. Northwave’s approach is more holistic than a ‘simple’ ISO 27001 gap analysis. It provides an in-depth security maturity perspective. This assessment is key to have a state-of-the-art vision of the state of security (and therefore the security maturity). Besides this, it offers an overview of the risks and the necessary (structural) measures to enhance security in a company.

This assessment is specifically relevant for companies that require a strategic roadmap with a plan to increase its information security. It is also particularly useful after a security incident, as it provides a detailed overview on the level of security of the company as a whole.

The State Of Security assessment is one of its kind, where a business assessment, behaviour/awareness research, a technical- or privacy assessment and a risk assessment comes together. The value of this assessment is that it gives a holistic view of the risks in an integral manner. Additionally, this assessment looks at the entire security management process from A to Z, from the documentation analysis and interview (how is it implemented) to the security tests (does it work accordingly). But the true value lies in these two aspects playing well together.

WHAT STEPS DOES A STATE OF SECURITY ASSESSMENT CONTAIN?

There are several steps of the SOS that are happening subsequently. A team of Northwave consultants will conduct interviews with the employees, there is an analysis of the documentation and technical tests are performed subsequently. The initial step is to have an intake session to understand the context and determine the setup of the security tests. The test will be executed from a hacker’s points of view and will provide the answer to questions like “what damage can a hacker currently do to my organization?”. The activies can vary from a phishing activity to a penetration test or social engineering activity. We combine the results, based on the findings we then deliver an expert opinion through a report including a remediation roadmap and detailed recommendations.

WHAT CAN A COMPANY DO TO PREPARE FOR STATE OF SECURITY ASSESSMENT?

To ease the project, we recommend gathering the security documentation, to identify the stakeholders involved in the security of the company and to determine who oversees the IT Security so the technical consultant knows who their point of contact is. Additionally, it is advised that the management team informs their employees of the upcoming assessment to ensure availability and transparency.

HOW CAN THE FINDINGS BE IMPLEMENTED?

With the roadmap and recommendations provided on all security aspects (Business, Bytes, Behavior), the company receives pragmatic recommendations to structurally improve and remain in control of their information security.

Some organizations do not have a dedicated security team or the resources to implement and run an ISMS (Information Security Management System), therefore Northwave offers the option of choosing for the SPO (Security and Privacy Office). The Security and Privacy Office is an outsourced security team that implements and runs an ISMS. This is taken care of by a team that exists out of a security officer and a team of expert managing the security and privacy incidents.

ANY OTHER THINGS THAT HAVE NOT BEEN MENTIONED ABOUT THE SOS THAT YOU THINK IS IMPORTANT?

In a nutshell, the goal of a SOS is to give an overview of the current state of an organizations’ information security maturity. It offers practical advice on how to mitigate risks and a roadmap to manage the Information Security environment.