Data security is not just having a firewall and a virus checker just like it is not just about preventing a network intrusion. Indeed, there are many kinds of breaches, impairments and compromises. All of which can have significant adverse consequences including penalties, lost sales, lower profitability, loss of competitiveness and even continued existence of the organization.
The Data Security Survey examines an organization's data security policies, procedures and practices for preventing, detecting and responding to breaches, impairments and compromises by both external and internal adversaries. More specifically it considers:
Physical and logical access controls to systems and storage media;
Identification and organization of sensitive data and its integration with security features;
Data protection schemes;
System audit, review and monitoring;
Strength of internal controls, and
Incident response resources and procedures.
The survey is not an audit or a certification. It is intended as a high level assessment of a system's design with limited validation of the actual design implementation.
The survey typically involves 4 or 5 days of on-site field work reviewing the current design, inspecting facilities and equipment, reviewing policies and procedures, examining certain logs and other data, and talking with key personnel about issues of interest. The field work is then followed with a letter report summarizing our findings, conclusions and recommendations, if any.
The Security Survey is a great way to get started in assessing system security and integrity and compliance with the NIST 800-171 security controls imposed by DFARS 52.204-7012. While it is not as robust as a full-scale security audit or other more penetrating analyses, it provides an expert analysis in a short period of time in order to either confirm or assuage management's concerns and obtain a more reasoned solution to those concerns, if they actually exist.
The survery could also be tailored at management's request to focus on specific areas of interest such as adequacy of incident response procedures, internal audit and review processes, adequacy of security layers, in addition to the organization's preparedness under the new DoD contract clause, 52.204-7012, Safeguarding Controlled Unclassified Information (CUI) and the NIST 800-171 control standards.
To discuss a specific matter or your interest in a Data Security Survey, click below.