Inhouse Vs Outsourced security assessments compared

October 28, 2022
Posted by: Gradeon
Category: Consulting

It’s essential to carry out regular vulnerability assessments to comply with GDPR. The regulation does not explicitly mandate that, but it’s implicit; assessment is a critical component in cyber security. Failing to implement reasonable security practices will not only leave an organisation open to hackers but will also be considered when determining penalties following any data breach.

An organisation planning to carry out a vulnerability assessment for the first time is faced with a clear choice. In-house or outsourced? While there are benefits from using internal staff, such as familiarity with systems, an external specialist will be able to bring security expertise, albeit at a cost.

Here we look into what’s involved in a vulnerability assessment and how an organisation might run one in-house. We also consider assessment services from a Compliance as a Service (CaaS) provider and why they might deliver benefits outweighing their cost.

What is a vulnerability assessment?

A vulnerability is a weakness that hackers could exploit to break into systems and steal assets, particularly sensitive data. To guard against this, an organisation needs to identify, analyse and carry out remediation for any vulnerabilities detected. Collectively this is known as a vulnerability management system.

Vulnerability assessment identifies and analyses any security vulnerabilities that may be present in the organisation. The evaluation uses specialised scanning tools to discover, test, analyse, and report findings. It is usually carried out on a host or a network basis (although other alternatives are possible). It may be supplemented by manual assessment for governance issues or physical checks.

Whereas penetration testing or ethical hacking is concerned with exploiting a vulnerability, the assessment aims to discover possible weaknesses without necessarily verifying them.

In-house or outsourced?

While both approaches have pros and cons, the choice will often be influenced by the availability of skilled staff. For a startup or even an SMB, it’s unlikely that the internal team would have the time or skills to carry out security assessments. However, they may have the option to perform an initial evaluation to uncover and remediate apparent weaknesses. This activity could then be followed up by a CaaS specialist running a formal assessment.

An enterprise may be better placed to complete the work in-house. A permanent team, or a task force, could conduct assessments on core systems and regional variations, reporting to central security management. The enterprise may have stringent security standards, so an internal team would be better placed to apply them than a consultant.

It’s essential to remember that vulnerability management is an ongoing process rather than merely a periodic check. Therefore, security assessments should be carried out as a scheduled activity, possibly monthly, and whenever significant changes are made to the environment.

It’s also vital that the IT team can remediate issues rapidly. An industry rule of thumb is that failure to patch a known vulnerability within one week will raise the risk of a breach to a moderate level. After a month, the risk will be high level. Therefore, a function of vulnerability management is monitoring announcements from vendors such as Microsoft and planning when patches will be implemented.

The ongoing nature of the process indicates that a hybrid approach may fit; a periodic assessment from a CaaS specialist, working closely with IT staff who will action the conclusions and use scanning tools on an interim basis.

In-house process

The process consists of 5 key steps:

– Planning needs to consider the specific networks and systems to be assessed and the location of sensitive data. The assessment will require time from experienced staff from across the organisation; this needs to be approved by their management and ring-fenced. The participants need to have a clear expectation as to what the work involves.

– Scanning is used to identify any weaknesses in systems and networks. Automated tools can report many possible issues, particularly the first time they are used.

– Analysis is carried out to quantify the risk of each weakness, its cause and the potential impact of an exploit.

– Remediation is the process of resolving weaknesses by simply applying a patch or implementing additional security measures.

– Iterate! Vulnerability assessment is an ongoing process, and the list of weaknesses will reduce over time. Referring back to previous reports will demonstrate the progress being made.

Outsourced process

Four assessment types are routinely carried out:

– Network-based

– Host-based

– Wireless (focused on potential attacks on the wireless network)

– Applications (along with pen testing)

In benchmarking a security service provider, assess their experience working with organisations of a similar size and, crucially in the same industry sector (for regulatory requirements). Next, verify that their services and reporting style suit the business. Finally, ensure they are authorised to carry out appropriate regulatory compliance if necessary.

Choosing an approach

In-house or outsourced? There are good arguments for either approach or a hybrid of the two. However, any organisation subject to GDPR must make a choice and carry out security assessments; failure to do so risks the future of the business. Gradeon can help enterprises in vulnerability assessment to comply with GDPR by conducting regular scans of their systems and providing detailed reports of any vulnerabilities that are found. By keeping up-to-date on the

latest security threats and regularly testing their designs, Gradeon can help businesses to identify and fix any vulnerabilities before they are exploited. In addition, Gradeon can guide how to best secure sensitive data and ensure that only authorised users can access it. By working with Gradeon, businesses can rest assured that they are taking all the necessary steps to comply with UK DPA 2018 & GDPR to protect their customers’ data. Learn more about how Gradeon accessed your organisation to implement an effective vulnerability management Programme. https://gradeon.co.uk/service/vulnerability-assessment/#cyber-testing-services

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_XJTBGPGZEW	2 years	This cookie is installed by Google Analytics.
_gat_UA-202583883-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	16 years 2 months 11 days 22 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Inhouse Vs Outsourced security assessments compared

What is a vulnerability assessment?

In-house or outsourced?

In-house process

Outsourced process

Choosing an approach

Consulting Services

Compliance Services

PCI Services

Cyber Services

Products

IT Infrastructure

How can we help you?