Which came first (or should): Assessment, Consultation or Penetration Test

Does your company do annual assessments and penetration tests?  Your answer should be yes.  Ask yourself this, have you ever had a annual consultation?  Assessments and penetration tests are important and vital to ensuring proper information security controls are working.  But what should be more important and also done annually ( before assessments and penetration tests ) is a consultation with an outside information security consultant.

A consultation with an Information Security consultant is a review of your current security posture and is used to verify you have the needed and required security controls in place.  This review should not involve scanning tools, servers, networks or any other technical devices.   This review should  look at documentation and processes covering items such as anti-virus on servers and PCs, firewall configurations, network design, switch and router ACL, state of patches and more.  This is a thorough review of the state of your company’s security posture.  This is your Information Security gap analysis.

This analysis will assist you in ensuring you are implementing proper and thorough layered security and help set the short term direction of your information security work.  This means implementing controls that are missing and updating controls that are weak.

After these gaps are “plugged” then plan to have an assessment done to verify the remediation work is complete and that the controls are effective.