My Company will be tested for Security system flows


My company's IT department will be tested from another IT Security company in order to find some holes, weak points in our system and any other IT failures that compromise our company. I am the IT Support Specialist but this is my first time i have this procedure happening.

I am looking for some advise in:

1 -  What should I do next from my IT department,

 2 - What question should I asked them before they start

Any ideas?

Please advice.

mallonyIT TechnicianAsked:
Who is Participating?
The purpose needs to be defined and agreed on. These things have a way of allowing scope creep. Know what you want tested by using the company to give you what they can and cannot do. They will be needing a get-out-of-jail-free card in the form of a letter from the highest source at your company. If you're hoping for a comprehensive test, you'll need to have external penetration testing, internal vulnerability assessment, both onsite and remote social engineering, general controls review and physical penetration test.

Don't change anything now. This will allow them to give you a snapshot in time of your security posture. Then, work with them to get the resolution to the issues found worked on. This is a long haul project, take your time getting it right. Also, please ensure that they use both automated and manual processes while doing this assessment. They need to be able to assign high, medium and lows based on your risk appetite.
As netcmh says, Scope is all important. It creates trust and understanding for both parties (and also stops your security company digressing just to fatten any report).

While doing nothing and waiting to see where your holes are is good experience, I would suggest that your policies and procedures are up to date, and that you do in fact practice what you preach in these policies. A good portion of the Security test should focus on this area.

Whenever I have had one of these testing cycles, I always schedule a return visit. Visit one is there to help you as a company understand your posture and capabilities, and visit 2 is there to assess your progress. It is visit 2 that is the most important.

Make sure everyone at your company fully understands that a security assessment like this is for everyone to learn from, and to provide a path forward to your agreed upon end point. It is not really beneficial using it as final grade.

Good luck
Depending on your environment the testing company may be able to do either a full blown pen test or one that doesn't execute any vulnerabilities found.  Obviously the full test shows you the most, but it's also possible to have some downtime or loss of connectivity with a full blown test.

We recently had one done an opted for testing up to them doing things that might have caused downtime. We know what the issues are and can now take steps to remediate them and at some point have the testing company do another test.

As the other experts say, don't change anything in your environment now in order to get the most accurate test. Once you have the results you'll need to identify real threats and issues vs things that it might be good to fix, but may not cause any real issues.  Then you'll need to decide on what budget you have and what technologies can be employed in order to fix the issues.
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

You should also decide what method they should use. The pentest might be more effective if you do an audit as well, so if you let them ask you questions about your procedures instead of just trying to hack in. Having them sit down and just scan all your servers might reveal a lot, but letting them see what your security policies and workflows are, is much more important. Best would be to do both.
I agree. One assessment report had all these vulnerabilities that needed resolved asap. But, putting them into context proved that more than half of them were either not relevant at all or could be resolved by the next maintenance cycle or even 6 months. Understanding the organization and it's own little ecosystem is an art which very few of these companies provide. I would much rather have a 2 person team sit with all the business process leads and understand the company, and then work with us to develop a plan of attack. We might even be surprised to find a process which we thought we decommed a few months ago in their findings. We might even surprise them with increasing the scope once the entire plan is laid out.

I'm glad you asked this question and started this thread. It's going to be chock full of hints and methods once it's through, for posterity.
mallonyIT TechnicianAuthor Commented:
Great tips!
mallonyIT TechnicianAuthor Commented:
Very valuable information
mallonyIT TechnicianAuthor Commented:
Great advice
Thank you for the grade. Good luck.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.