Security is an industry in a constant state of change.  Many of the threats, vulnerabilities and risks of concern today didn’t exist a year ago and will be replaced by others in the days, weeks or months to come.  Making things more difficult, most businesses are not static, and neither is their computing environment.  New business initiatives combined with the implementation of new or the upgrading of legacy technology can introduce weaknesses and vulnerabilities on an almost daily basis.  This all results in one glaring fact - the state of security today will not be the same as the state of security next week, next month or next year.

Performing an assessment is an excellent way to identify the current state of security and to develop a roadmap for improvement.  An assessment however, is a single point in time.  Even organizations that rapidly move forward with corrective action as the result of an assessment can sometimes find themselves outpaced by new vulnerabilities, new threats and dynamic shifts in the business or technology landscape.  To keep up with this ever changing situation, many organizations perform security assessments on a regular, recurring basis.  In some cases the same assessment is performed year after year.  In others, different approaches are taken when looking at security each time.

Any of NWN’s assessment services can be performed on a recurring basis.  Fairly simple assessment components, such as external vulnerability scanning, are often performed on a monthly or even weekly basis while comprehensive penetration testing may occur on a monthly, semi-annual or annual basis.  For complete coverage, NWN recommends the following:

Year 1

First Quarter: A full Core Risk Assessment

Second Quarter: Vulnerability Scanning & Configuration Review

Third quarter: Penetration Test & Web Application Testing

Forth Quarter: Vulnerability Scanning & Configuration Review

Year 2

Fifth Quarter: Partial Core Risk Assessment

Sixth Quarter: Vulnerability Scanning & Configuration Review

Seventh quarter: Penetration Test & Web Application Testing

Eighth Quarter: Vulnerability Scanning & Configuration Review

Year 3

Ninth Quarter: A full Core Risk Assessment is performed at the beginning of the third year and the cycle repeats

This is not the only approach to recurring assessments but has been found to provide very comprehensive testing at a reasonable price.  This approach also fits well with NWN’s Virtual CSO offering.