Measuring and Testing your Information Security – Part 3
In Part 2 of this blog series, Conosco Information Security Manager explained the importance of continual internal cybersecurity measuring and testing. In Part 3, he details the various methods of external monitoring and testing.
External measuring and testing of an organisation’s policies and controls provide an authoritative, independent result. The benefits of these external tests are numerous. They allow an organisation to make use of the knowledge and experience of 3rd parties, which usually means that the tests provide more accurate results. Also, external auditors and testers are impartial and thus will not be affected by any internal politics and biases that exist within the organisation, whether the organisation realises they exist or not.
Almost every information security standard or guidance requires the at least annual external testing. For example, ISO27001 requires annual external audits by the certification authority. Many contractual and compliance requirements also stipulate the need for regular independent testing. The main reason for this is the independence of the external party, results obtained from external testing will be true and accurate, without being affected by any organisation internal issues. This makes it much harder for an organisation to hide issues from an external auditor than from an internal auditor, who may be persuaded to look the other way by a senior staff member for example.
Two methods of external testing of security controls are penetration tests and external audits.
External audits are usually only mandated by compliance standards of contractual obligations. If you have to provide impartial evidence of your organisation’s information security to a customer or supplier, you would need to use an external party to conduct the audit, because of impartiality and to avoid a conflict of interest. Internal audit results are usually not considered authoritative in this regards. Also, most compliance standards require an independent external audit annually. Of course, an organisation can also commission an external audit if it wants an in-depth and detailed assessment of its current information security posture. These are often done in conjunction with penetration tests.
External penetration testing is another requirement of many compliance standards and stricter contractual commitments. These are similar to vulnerability scans, however, the professionals who manually conduct these tests go further than vulnerability scans, which are automated. These tests attempt to exploit any vulnerabilities found, to provide a good estimate of the actual damage a malicious attacker could do to the organisation and its information. These tests are usually more expensive than vulnerability scans and take longer. When considering penetration tests, it is very important to work with a trusted provider to establish the rules and scope of the test, in order to avoid any accidental outage or damage to the organisation’s infrastructure.
If you have any questions about the information security of your business, do get in touch with one of the experts at the Conosco Security Division: email@example.com.