The term "security assessment" is widely used throughout the security industry today. It also has different meanings depending on the industry, professional services company and IT department. The best practice for defning a security assessment is establishing the differences between a security audit and a security assessment. Where an audit is performed against established requirements, such as a policy, standard, etc., an assessment is performed against best practice, expectation and/or a standard. It is more interpretative than an audit. For this reason, the chosen methodology for an assessment is critical. With audits there are some methodologies, such as the SAS 70; however, there is nothing similar for assessments (an industry standard). Therefore, the selection of an assessment methodology has a long-term impact.
In order to define the scope of a security assesssment, it is best to start with people, process and technology. There are different methods for each of these groups. For example, if it is compliance driven; is the customer getting ready for an audit? Is it investigative; does the new CISO want to know what's going on within the organization? Is it to verify policy and standards; does the customer want to ensure the security policies in place are being adhered to by the employees?
Additional questions identify the customer's major areas of concern. For example, is it financial, credit card or customer data? What is the customer most concerned about that would be included in the assessment?
The last part of defining the scope of the assessment would be the technology aspect. How large is the customer's environment (infrastructure)? Does the organization have multiple locations, and are all of these included in the assessment? Determing the numer of IP addresses, servers (including server types), desktops (including OS versions) and network devices (including firewalls and VPNs) also helps to detemine the breadth and depth of the scope. Other items that can be covered in a security assessment can include wireless networks, physical security and social engineering. Whether or not these are required by the customer should be determined and used to determine the scope of the assessment.