My Company will be tested for Security system flows


My company's IT department will be tested from another IT Security company in order to find some holes, weak points in our system and any other IT failures that compromise our company. I am the IT Support Specialist but this is my first time i have this procedure happening.

I am looking for some advise in:

1 -  What should I do next from my IT department,

 2 - What question should I asked them before they start

Any ideas?

Please advice.

mallonyIT TechnicianAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The purpose needs to be defined and agreed on. These things have a way of allowing scope creep. Know what you want tested by using the company to give you what they can and cannot do. They will be needing a get-out-of-jail-free card in the form of a letter from the highest source at your company. If you're hoping for a comprehensive test, you'll need to have external penetration testing, internal vulnerability assessment, both onsite and remote social engineering, general controls review and physical penetration test.

Don't change anything now. This will allow them to give you a snapshot in time of your security posture. Then, work with them to get the resolution to the issues found worked on. This is a long haul project, take your time getting it right. Also, please ensure that they use both automated and manual processes while doing this assessment. They need to be able to assign high, medium and lows based on your risk appetite.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
As netcmh says, Scope is all important. It creates trust and understanding for both parties (and also stops your security company digressing just to fatten any report).

While doing nothing and waiting to see where your holes are is good experience, I would suggest that your policies and procedures are up to date, and that you do in fact practice what you preach in these policies. A good portion of the Security test should focus on this area.

Whenever I have had one of these testing cycles, I always schedule a return visit. Visit one is there to help you as a company understand your posture and capabilities, and visit 2 is there to assess your progress. It is visit 2 that is the most important.

Make sure everyone at your company fully understands that a security assessment like this is for everyone to learn from, and to provide a path forward to your agreed upon end point. It is not really beneficial using it as final grade.

Good luck
Depending on your environment the testing company may be able to do either a full blown pen test or one that doesn't execute any vulnerabilities found.  Obviously the full test shows you the most, but it's also possible to have some downtime or loss of connectivity with a full blown test.

We recently had one done an opted for testing up to them doing things that might have caused downtime. We know what the issues are and can now take steps to remediate them and at some point have the testing company do another test.

As the other experts say, don't change anything in your environment now in order to get the most accurate test. Once you have the results you'll need to identify real threats and issues vs things that it might be good to fix, but may not cause any real issues.  Then you'll need to decide on what budget you have and what technologies can be employed in order to fix the issues.
Make Network Traffic Fast and Furious with SD-WAN

Software-defined WAN (SD-WAN) is a technology that determines the most effective way to route traffic to and from datacenter sites. Register for the webinar today to learn how your business can benefit from SD-WAN!

You should also decide what method they should use. The pentest might be more effective if you do an audit as well, so if you let them ask you questions about your procedures instead of just trying to hack in. Having them sit down and just scan all your servers might reveal a lot, but letting them see what your security policies and workflows are, is much more important. Best would be to do both.
I agree. One assessment report had all these vulnerabilities that needed resolved asap. But, putting them into context proved that more than half of them were either not relevant at all or could be resolved by the next maintenance cycle or even 6 months. Understanding the organization and it's own little ecosystem is an art which very few of these companies provide. I would much rather have a 2 person team sit with all the business process leads and understand the company, and then work with us to develop a plan of attack. We might even be surprised to find a process which we thought we decommed a few months ago in their findings. We might even surprise them with increasing the scope once the entire plan is laid out.

I'm glad you asked this question and started this thread. It's going to be chock full of hints and methods once it's through, for posterity.
mallonyIT TechnicianAuthor Commented:
Great tips!
mallonyIT TechnicianAuthor Commented:
Very valuable information
mallonyIT TechnicianAuthor Commented:
Great advice
Thank you for the grade. Good luck.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.