- October 28, 2022
- Posted by: Gradeon
- Category: Consulting
It’s essential to carry out regular vulnerability assessments to comply with GDPR. The regulation does not explicitly mandate that, but it’s implicit; assessment is a critical component in cyber security. Failing to implement reasonable security practices will not only leave an organisation open to hackers but will also be considered when determining penalties following any data breach.
An organisation planning to carry out a vulnerability assessment for the first time is faced with a clear choice. In-house or outsourced? While there are benefits from using internal staff, such as familiarity with systems, an external specialist will be able to bring security expertise, albeit at a cost.
Here we look into what’s involved in a vulnerability assessment and how an organisation might run one in-house. We also consider assessment services from a Compliance as a Service (CaaS) provider and why they might deliver benefits outweighing their cost.
What is a vulnerability assessment?
A vulnerability is a weakness that hackers could exploit to break into systems and steal assets, particularly sensitive data. To guard against this, an organisation needs to identify, analyse and carry out remediation for any vulnerabilities detected. Collectively this is known as a vulnerability management system.
Vulnerability assessment identifies and analyses any security vulnerabilities that may be present in the organisation. The evaluation uses specialised scanning tools to discover, test, analyse, and report findings. It is usually carried out on a host or a network basis (although other alternatives are possible). It may be supplemented by manual assessment for governance issues or physical checks.
Whereas penetration testing or ethical hacking is concerned with exploiting a vulnerability, the assessment aims to discover possible weaknesses without necessarily verifying them.
In-house or outsourced?
While both approaches have pros and cons, the choice will often be influenced by the availability of skilled staff. For a startup or even an SMB, it’s unlikely that the internal team would have the time or skills to carry out security assessments. However, they may have the option to perform an initial evaluation to uncover and remediate apparent weaknesses. This activity could then be followed up by a CaaS specialist running a formal assessment.
An enterprise may be better placed to complete the work in-house. A permanent team, or a task force, could conduct assessments on core systems and regional variations, reporting to central security management. The enterprise may have stringent security standards, so an internal team would be better placed to apply them than a consultant.
It’s essential to remember that vulnerability management is an ongoing process rather than merely a periodic check. Therefore, security assessments should be carried out as a scheduled activity, possibly monthly, and whenever significant changes are made to the environment.
It’s also vital that the IT team can remediate issues rapidly. An industry rule of thumb is that failure to patch a known vulnerability within one week will raise the risk of a breach to a moderate level. After a month, the risk will be high level. Therefore, a function of vulnerability management is monitoring announcements from vendors such as Microsoft and planning when patches will be implemented.
The ongoing nature of the process indicates that a hybrid approach may fit; a periodic assessment from a CaaS specialist, working closely with IT staff who will action the conclusions and use scanning tools on an interim basis.
In-house process
The process consists of 5 key steps:
– Planning needs to consider the specific networks and systems to be assessed and the location of sensitive data. The assessment will require time from experienced staff from across the organisation; this needs to be approved by their management and ring-fenced. The participants need to have a clear expectation as to what the work involves.
– Scanning is used to identify any weaknesses in systems and networks. Automated tools can report many possible issues, particularly the first time they are used.
– Analysis is carried out to quantify the risk of each weakness, its cause and the potential impact of an exploit.
– Remediation is the process of resolving weaknesses by simply applying a patch or implementing additional security measures.
– Iterate! Vulnerability assessment is an ongoing process, and the list of weaknesses will reduce over time. Referring back to previous reports will demonstrate the progress being made.
Outsourced process
Four assessment types are routinely carried out:
– Network-based
– Host-based
– Wireless (focused on potential attacks on the wireless network)
– Applications (along with pen testing)
In benchmarking a security service provider, assess their experience working with organisations of a similar size and, crucially in the same industry sector (for regulatory requirements). Next, verify that their services and reporting style suit the business. Finally, ensure they are authorised to carry out appropriate regulatory compliance if necessary.
Choosing an approach
In-house or outsourced? There are good arguments for either approach or a hybrid of the two. However, any organisation subject to GDPR must make a choice and carry out security assessments; failure to do so risks the future of the business. Gradeon can help enterprises in vulnerability assessment to comply with GDPR by conducting regular scans of their systems and providing detailed reports of any vulnerabilities that are found. By keeping up-to-date on the
latest security threats and regularly testing their designs, Gradeon can help businesses to identify and fix any vulnerabilities before they are exploited. In addition, Gradeon can guide how to best secure sensitive data and ensure that only authorised users can access it. By working with Gradeon, businesses can rest assured that they are taking all the necessary steps to comply with UK DPA 2018 & GDPR to protect their customers’ data. Learn more about how Gradeon accessed your organisation to implement an effective vulnerability management Programme. https://gradeon.co.uk/service/vulnerability-assessment/#cyber-testing-services