Many organisations trust that their own systems and applications “will be secure somehow”. Especially when third parties such as IT service providers or cloud services are used, the trust in IT security is great.

Our experience shows: often too much, because security gaps lurk here as well. These often arise from inadequate programming, carelessness during development – or simply through ignorance.

But how do decision-makers tackle the challenge of planning and carrying out a sensible IT security investigation tailored to the respective organisation? Is a vulnerability scan and/or a penetration test the “right” procedure? What other topics – for example, (Azure) Active Directory configuration – are worth taking a closer look at?
Organisations should ask themselves the following questions together with their IT security service provider:

1) Which systems do you want to put through their paces as part of the IT security audit?

.
Particularly in the case of large system and application landscapes, it can make sense to segment and focus on particularly risk-relevant systems first.

2) When are the results needed?

Often there are customer or regulatory requirements that dictate a fixed timeline. Find out well in advance when the results are needed in the form of a detailed report.

3) How “healthy” is your IT security?

The main concern here is whether an investigation has been carried out before – and if so, how long ago. Like ourselves, we should not wait too long between health checks.

Do third party approvals for the test need to be obtained and how quickly?

Cloud services, IT service providers and even customers are keen to keep any operational disruption to an absolute minimum during an investigation. Therefore, prior authorisation or at least notice of an investigation is often required.

How safe are you?

If you have any questions or are unsure – our experts will be happy to provide holistic advice on the right course of action. We help you to use the budgets for IT security investigations in the most targeted way possible and to gain the best possible insights in the process.

More articles

Cloud security myth busted: Common misconceptions about security ownership in the cloud In recent years, cloud technology has become one of the most important and widely used IT infrastructures. Organisations of all sizes are taking...
One of the biggest challenges in setting up and operating information security management systems according to ISO 27001 is the adequate documentation. This is subject to audit reviews and also helps the organization to appropriately...
ISO 27001 – Management of technical vulnerabilities The newly published ISO 27001:2022 in October 2022 brings a restructured catalogue of measures. Among other things, the new measure A.8.8 – Management of technical vulnerabilities – was...