News Stay informed about the latest enterprise technology news and product updates.

What kind of products can be used to do a security risk assessment?

Security management expert Mike Rothman unveils what kind of software is on the market to help assist a company in the risk assessment process.

We are looking to conduct an information systems risk assessment as part of one of the recommendations following a Sarbanes-Oxley review. What software is available to help a medium-sized company (1,000 employees, $1 billion in sales) perform an information security risk assessment?
There are a number of product categories you can use to do a risk assessment. But don't be fooled into thinking that a tool will be a panacea to keeping your SOX auditors happy.

First, look at vulnerability scanners that can test networks, systems and applications. These are usually three separate product categories, but since any of your systems can be compromised by any attack vector, you'll need all three in order to compile a comprehensive list of what is vulnerable.

You may also want to look at an automated penetration-testing product. There are both open source and commercial options available; these can take vulnerability scanners to the next level and help you determine not only what is vulnerable, but also what can be exploited.

Finally, consider some good old-fashioned elbow grease in your risk assessment as well, in the form of a penetration test performed by humans. This can help you understand both the physical and logical places where your networks and/or systems can be compromised. Software is still evolving and can't really evaluate all of the social engineering techniques that modern-day hackers employ.

So in a nutshell, it's a little more complicated than going down to Best Buy and buying a yellow (or green) box to fix your problems. You'll need to use a variety of tools, assemble and assimilate the results and figure out what is truly at risk. So your most effective software is going to be the OS running in your brain.

Dig Deeper on Risk assessment and management in financial institutions

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.