What does a “typical” security assessment look like?

Author: Joe Loomis
Last Updated: February 17, 2023

Maybe, you are thinking about getting a security assessment?  Are you ready?  What will they find?  What if they find something BIG?  It is hard to be completely prepared for your first assessment.  However, like most things preparation and teamwork are the what lead to success.

When doing an assessment, it is easy to get wrapped up on all the things that need to be fixed, we try to refer to them as “opportunities for improvement”.  Any experienced assessment team should also be pointing out all of the things that are being done correctly. 

A typical assessment can be divided into three stages:
1.      Planning Stage (1 – 2 Months)
2.      Assessment Stage (1 – 5 Days)
3.      Reporting Stage (1 – 4 Weeks)

The planning stage occurs first and is where everything that is going to be assessed (think IP addresses) is defined as well as the rules of the engagement. Next, is the assessment stage, this happens on-site at your facilities and is when testing is performed and data is collected. The final stage is reporting where data is analyzed, and the results are shared.

Understanding the different stages of a security assessment helps you to know what to expect.  You can divide the necessary work into manageable pieces and measure progress.  For example, one step during the planning stage could be to select the devices to be tested and determine when they will be available for testing.  You are also able to maximize the value that can be provided from the assessment by determining coverage and depth. Although, it is normal to have a few IPs added or removed during an assessment you don’t want to miss a whole subnet because of poor planning and lack of time.

If it is your first assessment, you want to work with an assessment team that becomes part of your team. The most important thing is communication.  They need to take the time to address your questions before, during, and after the assessment.  They also need to share the results in a way that communicates your strengths and weaknesses.  Finally, they need to provide an action plan to help you rapidly improve security.

With a little bit of planning and working with an experienced team you will find that having a security assessment performed is easier than you thought.