Many organisations trust that their own systems and applications “will be secure somehow”. Especially when third parties such as IT service providers or cloud services are used, the trust in IT security is great.

Our experience shows: often too much, because security gaps lurk here as well. These often arise from inadequate programming, carelessness during development – or simply through ignorance.

But how do decision-makers tackle the challenge of planning and carrying out a sensible IT security investigation tailored to the respective organisation? Is a vulnerability scan and/or a penetration test the “right” procedure? What other topics – for example, (Azure) Active Directory configuration – are worth taking a closer look at?
Organisations should ask themselves the following questions together with their IT security service provider:

1) Which systems do you want to put through their paces as part of the IT security audit?

Particularly in the case of large system and application landscapes, it can make sense to segment and focus on particularly risk-relevant systems first.

2) When are the results needed?

Often there are customer or regulatory requirements that dictate a fixed timeline. Find out well in advance when the results are needed in the form of a detailed report.

3) How “healthy” is your IT security?

The main concern here is whether an investigation has been carried out before – and if so, how long ago. Like ourselves, we should not wait too long between health checks.

Do third party approvals for the test need to be obtained and how quickly?

Cloud services, IT service providers and even customers are keen to keep any operational disruption to an absolute minimum during an investigation. Therefore, prior authorisation or at least notice of an investigation is often required.

How safe are you?

If you have any questions or are unsure – our experts will be happy to provide holistic advice on the right course of action. We help you to use the budgets for IT security investigations in the most targeted way possible and to gain the best possible insights in the process.

More articles

Are you already familiar with our SCOD consulting service? SCOD stands for Security Consultant on Demand – and for being available to you at short notice at any time for all your information security questions....
Detect threats with a SIEM system A security information and event management (SIEM) system is a powerful solution that helps organisations detect, monitor and respond to threats to their information security. It enables the centralised...
One of the core competences of cloud service providers is the safeguarding of infrastructures with regard to IT security. But what should be taken into account when using the cloud? The cloud has many advantages:...