Is a security assessment the same thing as a vulnerability assessment or a risk assessment or a zero trust assessment?
How is a security assessment different from a penetration test?
What about a compliance assessment, like PCI DSS or HIPAA?
As a cybersecurity expert, I get this question a lot, and I am not surprised. If your job is not focused on security or cybersecurity, the words can seem pretty much the same to people, even a CIO or CEO.
In fact, they are do the same kind of thing: evaluate the health of your computer environment and network. Security assessments generally are essential for any organization because you can use them to identify and mitigate potential vulnerabilities and threats to your computer environment. Each of the assessments I named focuses on a particular task or function. Think of them like going to your doctor to get a check-up or learn if you have a higher risk of having a heart attack or stroke.
But which one(s) do you need? Where do you start? Let’s start by explaining what each one does.
A penetration test, also known as ethical hacking, is a type of assessment that simulates a real-life attacker trying to break into a computer system, software application, or computer network without the risk of having data stolen or encrypted. The main objective is to determine how well existing security measures work when they face a real attack.
Penetration testing can reveal previously unknown security vulnerabilities, such as zero-day threats and software or business logic vulnerabilities. For example, a web application that meets the business requirements has a flaw in the logic that allows data to be stolen by a criminal because they can bypass the authentication tool. The flaw won’t be apparent until you test that application.
A penetration test, however, is not the same as a vulnerability assessment.
A vulnerability assessment is a programmed process using software to scan your computer systems and networks for known vulnerabilities. This assessment provides a snapshot of potential holes in an organization’s security at a given point in time. Once the scan is complete, a trained cybersecurity engineer will assess and report which vulnerabilities present the highest risk to an organization based on the severity of the vulnerability and the system that has the vulnerability. To illustrate, let’s say you have a computer with a high vulnerability, but that computer is isolated and access to it is restricted. You might be able to delay patching that vulnerability for 30, 60, or 90 days because of the compensating control of isolating that system.
A vulnerability scan doesn’t test to see if a vulnerability can be exploited; that is what a pen test does.
Read More: Vulnerability assessment vs. penetration test: Understanding the differences
A risk assessment is a comprehensive analysis of a specific environment that identifies, quantifies, and prioritizes the risks associated with an organization’s computer network, system, or a specific application. The process considers various factors, such as the likelihood of a risk occurring, its potential impact, and the effectiveness of the current security measures. An easy way to think about a risk assessment is a real-world example such as deciding if you should build a house near the bank of a river. You would ask yourself, does the river flood? If it does, how high does it get? Maybe you build your house on the bank of the river but put it up on stilts so it can withstand a flood, or you build further back from the bank of the river.
A risk assessment will take into consideration what vulnerabilities exist in your environment, but it is more comprehensive than a vulnerability assessment and provides a vital piece to determining your organization’s risk: context.
A compliance assessment measures an organization’s adherence to a given set of security standards or regulations required by the government or a compliance organization. For companies or organizations that handle sensitive data—like financial information or personal health data—there are compliance regulations like HIPAA, PCI DSS, CCPA, CPRA, GDPR, ITAR, CMMC, etc. Some government regulations have strict computer security controls that must be followed, like HIPAA, which dictates how data on people can be stored or transmitted. Other industry standards, like PCI DSS, have controls that must be followed to use credit cards online or in a store.
I have worked with several companies over the years to help them improve their security so that they meet compliance regulations. A compliance assessment does not assess vulnerabilities or test the controls; it simply evaluates if the controls are in place.
A security program assessment compares a company’s cybersecurity controls against well-known frameworks like the NIST Cyber Security Framework, CIS Controls, or ISO 27001. Each of these frameworks maps out a list of security controls—like strong passwords, MFA, installing anti-malware software, segmenting computer networks, and installing firewalls—forming the basis of a good cybersecurity program. I have done many security program assessments, and they help an organization know what they are doing well and what they need to improve.
Using a well-known framework rather than a vendor-based framework allows a company to pick the vendor they want rather than being locked into a vendor specific solution. For example, if the CSF says that you must use MFA, you can implement whatever MFA solution you want, not just a vendor-specific MFA tool. The same goes for firewalls, malware protection, and other network security controls.
Like a compliance assessment, a program assessment does not test the controls or find vulnerabilities; it evaluates if the controls are in place.
Read More: Cybersecurity highlights of 2023: New SEC cybersecurity rules and the major breaches driving them
A Zero Trust readiness assessment is a new assessment, and it measures how close a company is to meeting the NIST Zero Trust Architecture framework, Special Publication 800-207 (SP 800-207, Zero Trust Architecture | CSRC (nist.gov)). This is a custom assessment that CBTS has developed for our customers who work with the Federal government. Executive Order 14028, issued in May of 2022, said in part, “Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
A transition to a “zero trust” approach to security provides a defensible architecture for this new environment. Because the federal government is heading to a zero trust architecture, many companies with federal contracts are moving in the same direction to stay aligned with federal guidelines and policies. While this assessment was designed for our customers who work with the federal government, this process can and has been applied effectively to customers in other verticals.
Read More: SASE vs. zero trust: The basics
If you are just getting started with cybersecurity, then you should start with a security assessment. Just like a regular health checkup, a security assessment gives you a picture of your health. What are you doing right? Are there serious issues that you need to address right away?
If you have a good security program and want to test the controls you have in place, then start with a penetration test. Some compliance regulations—like FTC Safeguards—require annual penetration tests, so you might already be familiar with that kind of annual engagement.
If so, get assessed against those compliance frameworks to see where you have gaps before you engage and pay an auditor to see that you do not measure up. For those with these compliance requirements, this isn’t news to you. You have controls in place, but you might not be sure how well the controls are configured and if are you meeting the compliance requirements. A compliance assessment will be cheaper than an audit, so consider getting assessed before paying an auditor to confirm the controls you have in place.
Several government regulations require annual pen tests. If your company needs to conduct annual pen tests, then start with the pen test. Suppose the pen test uncovers vulnerabilities that you were not expecting. In that case, do a vulnerability assessment or security assessment to get a broader view of your environment to address the gaps in your security.
Have you quantified the cybersecurity risk in your environment? Do you know what your risks are and have you documented them? If you haven’t documented them, you probably don’t know what they are. You can engage CBTS to help you with a risk assessment to identify, evaluate, and document the cybersecurity risks in your company. I recommend starting with a risk assessment if you don’t have a security program in place. You can find out where you need to invest and how much you need to invest when you do a cybersecurity risk assessment. Once you know what is at risk, you will have a good idea of where to focus your attention, what security framework to implement, and what kind of testing you need to do to confirm your security controls are working as expected.
Penetration testing, vulnerability assessment, risk assessment, compliance assessment, and program assessments are all essential kinds of cybersecurity assessments. The choice of assessment depends on the organization’s specific needs, goals, and requirements.
You can see that security assessments are crucial for organizations to ensure that their security posture is current and can withstand potential attacks and threats. They are the health checkups for your computer systems and networks.
Read More: CIOReview: Cybersecurity awareness and training
If you need help, please let us know. We are here to help!