Cost effective assessment of the infrastructure security posture

An organisation´s security posture is an indication the countermeasures that have been implemented to protect the organisations resources. The countermeasures are security best practice that are appropriate to the organisations risk appetite and the business requirements. The security posture is defined by an organisations security policy and its mission statement and business objectives. Countermeasures come with a cost which should not exceed the value of the resources they are protecting and they should be effective, provide value for money, and a return on investment for the organisation Measuring how the organisations actual security posture relates to its agreed acceptable level of risk is a problem that is faced by organisations when looking at whether their countermeasures are effective and providing value for money and a return on investment. There are two methodologies that can be used. 1. Auditing - which is the mechanism of confirming that the processes or procedures agree to a master checklist for compliance 2. Assessing - is a more active, or intrusive, testing methodology to adequately assess your processes or procedures that cannot be adequately verified using a checklist or security policy This paper investigates the surface attack area of an organisations infrastructure and applications examining the cases where the use of cloud and mobile computing have extend the infrastructure beyond the traditional perimeter of organisations physical locations and the challenges this causes in assessing the security posture. A review of the use of assessment methodologies such as vulnerability assessment and penetration testing to assess the infrastructure and application security posture of an organisation shows how they can provide identification of vulnerabilities which can aid the risk assessment process in developing a security policy. It will demonstrate how these methodologies can help in assessing the effectiveness of the implemented countermeasures a- d aid in evaluation as to whether there are provide value for money and a return on investment. It is proposed that a long term strategy of using both methodologies for assessing the security posture based on the business requirements will provide the following benefits. : Cost effective monitoring of the infrastructure and security posture. : Ensuring that the countermeasures retain effectiveness over time. : Responding to the continual changing threat environment. : Ensuring that value for money and return on investment are maintained.