An Information Security Place

Commentary on the State of Information Security
How security assessments are like going to the dentist
Filed under Security

 Due to my bad judgement, I have not been to the dentist in quite a while (I won’t say how long it has been), and I am dreading going back (I have an appointment today).  As I was pondering the pain that will be my payment for poor decision-making, I started thinking how going to the dentist is a lot like getting a security assessment performed.

First of all, if you have never been to the dentist or haven’t been in a while, you need to have a BIG cleaning and checkup done to ascertain the health of your teeth (cavities or other dental maladies) so the dentist can determine what direction your treatment needs to take.  It is the same with a security assessment.  If you have never had one, or it has been a while, you need to have one performed so the strength of your security program can be established (a gap analysis is like finding cavities).

Second, after the initial cleaning and checkup, the dentist can work up a treatment plan to help get your teeth back to a healthful state (if there are major problems).  In the same way, a good security assessment will include a remediation plan.  If all you get out of a security assessment is the problems that were found, then you paid good money for next to nothing.

Third, most recommendations say that a dentist visit every 6 months to a year is good practice.  If you don’t have any serious issues, the dentist can just perform a regular checkup and cleaning to keep your teeth healthy.  Remember, even if you have thick enamel and your gums are healthy, you can still have problems caused by neglect.  If you start eating more sugar for some reason, you have made a change in your eating habits that could affect your teeth.  In the same vein, it is generally accepted that some sort of security assessment be done once a year, even if that is done internally to make sure your security program is healthy and has kept up with any changes in your environment.  Even if your overall program is strong, and you have very good policies and procedures in place, a change in the environment can render the most ingenious policy obsolete.

Fourth, you should brush and floss your teeth everyday to keep your teeth healthy.  Similarly, you should also do spot checks of your security environment fairly regularly and perform preventative maintenance (patching, firmware updates, etc.).

There’s my crazy analogy for the day.  Remember me as I writhe in pain this afternoon.

Vet

Posted by Michael Farnum on Wednesday, June 20th, 2007


  • « HP buying SPI Dynamics
    Glowing reviews from the Christian community for Cobia and StillSecure folks »
    • Creative Commons License
    An Information Security Place is licensed under a Creative Commons Attribution-Noncommercial 3.0 Unported License.
    Powered by Wordpress and Blog Pixel Theme