Many organisations trust that their own systems and applications “will be secure somehow”. Especially when third parties such as IT service providers or cloud services are used, the trust in IT security is great.

Our experience shows: often too much, because security gaps lurk here as well. These often arise from inadequate programming, carelessness during development – or simply through ignorance.

But how do decision-makers tackle the challenge of planning and carrying out a sensible IT security investigation tailored to the respective organisation? Is a vulnerability scan and/or a penetration test the “right” procedure? What other topics – for example, (Azure) Active Directory configuration – are worth taking a closer look at?
Organisations should ask themselves the following questions together with their IT security service provider:

1) Which systems do you want to put through their paces as part of the IT security audit?

.
Particularly in the case of large system and application landscapes, it can make sense to segment and focus on particularly risk-relevant systems first.

2) When are the results needed?

Often there are customer or regulatory requirements that dictate a fixed timeline. Find out well in advance when the results are needed in the form of a detailed report.

3) How “healthy” is your IT security?

The main concern here is whether an investigation has been carried out before – and if so, how long ago. Like ourselves, we should not wait too long between health checks.

Do third party approvals for the test need to be obtained and how quickly?

Cloud services, IT service providers and even customers are keen to keep any operational disruption to an absolute minimum during an investigation. Therefore, prior authorisation or at least notice of an investigation is often required.

How safe are you?

If you have any questions or are unsure – our experts will be happy to provide holistic advice on the right course of action. We help you to use the budgets for IT security investigations in the most targeted way possible and to gain the best possible insights in the process.

More articles

Instant 27001 is a solution that saves an enormous amount of time and money when setting up and operating an ISMS according to ISO 27001. Users benefit not only from the fact that Instant 27001...
In discussions with customers and interested parties, we are repeatedly confronted with the statement that security investigations (penetration tests and vulnerability scans) are not necessary in cloud scenarios because the cloud provider (e.g. Amazon Web...
The terms IT security or information security are often used synonymously, go in a comparable direction but mean different things. However, it is worth taking a closer look to differentiate between the terms. Information security...