IT Insights IT Security Assessment Terminology
Effective IT security assessments begin with baselining common terminology A FAVORITE DISH ORDERED AT A RESTAURANT away from home might not taste anything like what was expected, giving the customer an unpleasant surprise. How often do such situations occur? How often can such difficulties be traced to a lack of clear definitions and terminology? Unfortunately, such scenarios play out across organizations’ IT security programs, too. Effective IT security begins with recognizing related terminology so that management can accurately act upon information in a commonly understood manner. It’s also crucial for ensuring that management is not relying upon false assurance. That common understanding is crucial because it helps mitigate risks related to losses in system and data availability, confidentiality and integrity. That common understanding thus supports broader aims to mitigate reputational, financial and liability risks to the organization.
IT Security Assessments and Common Related Terminology: What the Terms Mean IT SECURITY ASSESSMENT IS a widely-used term that encompasses IT security audits, risk assessments, vulnerability scans and penetration tests that deploy ethical hacking efforts. While related, common IT security terms have different objectives and characteristics. An IT security assessment’s scope may be based on a particular framework or defined set of standards, such as: • PCI-DSS (Payment Card Industry Data Security Standard) • FISMA (Federal Information Security Management Act) • GLBA (Gramm-Leach-Bliley Act) • ISO (International Organization for Standardization) 27001/27002 • NIST (National Institute of Standards and Technology) 800-53: Security and Privacy Controls for Federal Information Systems and Organizations • HIPAA (Health Insurance Portability and Accountability Act) The assessment determines whether or not the organization is in compliance with that particular set of IT security standards, framework or best practices.