Sometimes it feels like the technology world is driven by assessments. Or at least from our perspective here at OXEN Technology!
A technical assessment can be the foundation of a successful IT consultation. It provides the baseline information you need to plan the improvement, modification, or migration of your IT infrastructure. In fact, you are likely to discover security risks you never thought would happen or configuration errors you were unaware of!
Today we want to explain some types of assessments that we are familiar with and use. We hope this will be helpful if you’re evaluating what types of assessments are out there and which ones might be best for your situation and your questions. Keep in mind that the terms we use here aren’t necessarily standardized for assessments, so knowing what an assessment includes, rather than what it’s called, is probably most important.
Network vs. Security Assessment
A network assessment is generally an analysis of your network infrastructure and configuration. This assessment will be focused on things like network assets, storage and disk space, aging workstations, inactive computers or user accounts, unsupported operating systems, internet access and speed, event logs, and so on.
A security assessment of your network does analyze some of the same areas as a network assessment, but it is focused on protocols, permissions, and policies. Are there outbound protocols that shouldn’t be allowed? What are the domain security and local security policies? How strong and consistent are password policies?
These two types of assessments go well together, and they will bring up equally important vulnerabilities.
High-Level vs. In Depth
Another way to look at assessments is to ask, “How much of the network can the scanning tool access?” An initial assessment may be more of a high-level analysis. A more detailed and intensive assessment can build on top of this initial one, and may actually require a device to be physically brought into the network to help perform the scan.
For example, at OXEN our Network Risk & Security Assessment is a high-level assessment that requires software to be run in the network environment (which can be done remotely). This tool quickly scans the network and does a basic discovery of network devices, configurations, and policies. This generates a lot of useful information, but it’s just scratching the surface!
We have another more advanced option called our Security Vulnerability Assessment, which requires a device to be physically brought into the network. It runs for days, rather than minutes. It can get a very detailed analysis of the network over this longer period. This assessment is able to provide more information about internal vulnerabilities, at an incredibly granular level with explanations and recommendations for each vulnerability found.
Policies & People vs. Technical
Keep in mind that there’s more to assessing your network and security measures than just looking at hardware, software, and configurations. If you’re trying to assess the risk of a data breach or Personally Identifiable Information (PII) leaking, you have to think about the human aspect too. Human behavior and business policies that guide employees’ behavior are crucial.
With that in mind, there are assessments aimed specifically at assessing the safety of your data from a people, policies, procedures, and safeguards stance. This type of employee policy-focused assessment will cross over into the technical realm in some areas (e.g., password policies and other technical safeguards for data). But it will also look at whether you have policies for training employees, tracking movements of portable devices (to detect theft), physical security (like restricting areas of the building to visitors), and so on.
Technical assessments are not likely to cover information from an employee handbook or business policies on safeguarding data, disposing of hardware, or acceptable use of the network. But this information is very valuable! We recommend pairing a technical assessment with an employee policy-focused one to get a more comprehensive look at your security risk level.
What do they all have in common?
Clear, concrete recommendations are the common feature of any good assessment.
Whether the final report you get is high-level or in-depth, network or protocol-based, a good one will give you a clear ranking of your highest risks to your lowest risks and what you should do address the problems.
If you request an IT assessment, we encourage you to take full advantage of these reports and recommendations and any work plans also generated. They immediately become the foundation of a technology strategy.
If you’re interested in learning which type of technical assessment would help benefit your organization, we would love to consult with you – just drop us a note at firstname.lastname@example.org or call us at 888-296-3619.