Information security does not just happen in an
organization. Information security takes
a lot of planning and proactive work to keep customer information secure. Security of customer data cannot rely on one
person or group to make it happen.
Everyone needs to be involved.
Our information security department has to take a very
proactive approach to keeping our data secure.
At least once a year penetration testing is done against all of our Web
sites to make sure they stay secure. Our
information security department plans out the testing of all of our Web sites
and communicates with each area to coordinate this test. They then will write up a report detailing
all security risks and the developers will be assigned the task of fixing those
issues. The issues reported are
categorized as low, medium, or high. The
high issues must be fixed as soon as possible.
The medium risks are also remediated as soon as possible. The low risks usually just require that we
have a plan in place to remediate the issue as soon as we can.
Occasionally, a risk is low and the cost to remediate it is
high so the risk is “signed off on” by the business unit. They have the ability to accept the risk once
they know all the information. This type
of risk has to be low or they would not have the option of accepting the risk.
What does penetration testing do? It is an authorized attempt to circumvent the
security of a Web site. The main purpose
of a penetration test is to get past the safeguards in an application. These allowed “attacks” of a Web site are
planned and coordinated with all areas impacted by the test. This is the only time it is legal to attack a
Web site in this manner. A company will
often pay another company that specializes in this kind of testing to find all
vulnerabilities. It is much better to
find and fix any weaknesses before a customer is impacted by a breach. For more information on penetration testing,
the link below has some great information on what penetration testing is, why
penetration testing is done, how often it should be done, and who benefits from
doing a penetration test (Core Security n.d.).
Reference:
- Core Security (n.d.). Penetration Testing Overview. Retrieved on September 14, 2014, from http://www.coresecurity.com/penetration-testing-overview
No comments:
Post a Comment