Assessing your organization’s Information Security posture
InfoSec technologies alone will not keep your organization safe.
All organizations — regardless of size, sector, industry, location, or mission — are facing an increasing number of information security threats and challenges. Such threats and challenges put an organization’s revenue, reputation, and overall health at risk. In the wake of high-profile attacks such as those experienced by Sony, Target, and Home Depot, it has become clear that no organization is immune — and the damages caused by such breaches can be extremely costly if not irreparable.
Information security is not a one-time technology investment. Rather, an organization’s information security posture is comprised of plans, processes, policies, governance, and the technical infrastructure. At FireOak Strategies, we work with organizations to assess their information security posture and improve the overall health of their InfoSec programs.
Our Information Security Maturity Assessment (ISMA) uses as its foundation the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. This Cybersecurity Framework was developed in direct response to the White House’s Executive Order 13636 which established that:
The Cybersecurity Framework aligns with the Council on CyberSecurity (CCS) Top 20 Critical Security Controls, the Control Objectives for Information and Related Technology (COBIT), and ISO/IEC 27001, Information Technology — Security Techniques — Information Security Management Systems Requirements, among others.
ISMA is not a penetration test or a vulnerability assessment; rather, we look at an organization’s entire information security posture in order to assess what’s working and what’s not; identify risks, threats, and challenges; spot gaps; and provide short-term and long-term recommendations for remediation.
“…challenges with information governance are the single-biggest cybersecurity threat for most organizations….”
Unlike standalone penetration tests or network analyses, ISMA focuses on the full health of an organization’s information security posture — the information governance, policies, processes, roles and responsibilities, and accountability issues.* It is our experience that challenges with information governance are the single-biggest cybersecurity threat for most organizations, so we pay particular attention to these areas.
While we routinely conduct penetration tests, network analyses, or vulnerability assessments, we believe that they are most effective when conducted in conjunction with the broader information security maturity assessment rather than as a standalone test. In order to be actionable, technical tests should also address governance, policy enforcement, processes, and other elements included in the FireOak Strategies ISMA.