Back to Blog Home

Defining security assessments: Risk, compliance, and security frameworks

What is the difference between a security assessment, a risk assessment, and a zero-trust assessment? What about a penetration test? Or a compliance assessment for HIPAA or PCI DSS? Keeping the different types of security risk assessments straight for non-security professionals who are not focused on cybersecurity can be a challenge.

Each assessment type works toward the same goal–examining the health and security of your organization’s environment–but with a different focus. Security assessments are vital to the security of your organization because they look at your security program and how it compares to a known security framework, like NIST CSF or CIS Controls, which help you identify risks and help prioritize defensive controls. Each of the assessments helps an organization prioritize the many security projects on their list in a way that quickly reduces risk. For example, an annual checkup with your physician evaluates your overall health, but it may alert you to risks that lead to additional tests for health issues based on the potential risk of stroke, heart attack, or other disorders.

But where do you start with your security assessments? Which one should your organization invest in first? To answer that question, let us explore the purpose of each assessment in greater detail.

The types of security assessments

  • Penetration testing – Tests the effectiveness of your security controls with simulated cyberattacks that criminals would use.
  • Vulnerability assessments – Authenticated or unauthenticated scans of your internal or external network that identify known vulnerabilities.
  • Risk assessments – An evaluation of your enterprise that quantify, identify, and prioritize the risks to your network, system, or application.
  • Compliance assessments – Measures your security controls against a specific compliance framework and provides a gap analysis.
  • Security program assessments – Compared your existing security controls against standard frameworks like NIST CSF, CIS Controls, and ISO 27001.
  • Zero-trust readiness – A custom assessment from OnX Canada that evaluates an organization’s readiness for the zero-trust architecture framework.

The role of security assessments in cybersecurity

Penetration testing (aka ethical hacking, white-hat hacking, or pen testing) is a type of evaluation that mimics a real-life cyberattack. The assessor attempts to gain unauthorized access to an organization’s environment, application, or network with the goal of testing the effectiveness of an organization’s security controls and procedures.

Pen tests can also unearth previously undiscovered exploits, such as zero-day threats and flawed application or business logic vulnerabilities. An example could be a web app with flawed logic that bypasses authentication systems. This logic flaw creates a security gap that threat actors could manipulate, and the flaw may not be detectable until you do a pen test (or, in the worst-case scenario, a breach).

Vulnerability assessments (aka vulnerability scan or vuln scan) differ from penetration tests in several ways. Vulnerability assessments rely on scanning software that checks for known exploits within an organization’s environment, either external or internal assets. The goal is to provide an overall picture of security risks to an organization’s network and helps the security team generate a vulnerability report and prioritize defensive measures. For example, if there is a particular desktop in your organization that a scan identifies as highly vulnerable, you will know that you need to patch that system first.

In other words, a vulnerability scan does not test if a vulnerability is likely to be exploited. That is the role of a pen test.

Read More: Penetration testing, Chicken Guns, and Mike Tyson

Risk assessments are extensive evaluations of a particular environment that aims to quantify, identify, and prioritize the security risks of a network, system, or application. Risk assessments weigh different variables, such as the risk of vulnerabilities and potential impact of an attack given the present security protocols. A real-world parallel to a risk assessment might come from considering whether or not to construct a home near a river. In this case, you would ask if the house is in a flood plain? If so, how high does the floodwater rise? The answers can change your strategy. You might choose another location or build on stilts depending on the results of your risk assessment.

Risk assessments factor in current vulnerabilities but go beyond a vulnerability scan to provide context to the risk.

Compliance assessments serve as a measuring stick that examines closely an organization adheres to a set of compliance regulations set forth by the government or other regulatory body. Highly regulated organizations, such as healthcare providers or financial institutions, must comply with a variety of regulations from HIPAA, CCPA, PCI DSS, ITAR, and GDPR. Government regulators have HIPAA rules that provide guidelines regarding how to store or transmit sensitive patient/customer data. Industry regulators like PCI DSS provide industry standards for handling credit card information.

In my experience working with organizations that need to meet compliance standards, I have found that a compliance assessment does not categorize risk or test security protocols; it determines if controls are in place. Not how adequate those controls are in defending against breaches. We do provide guidance on how to reduce risk, but compliance does not equal secuirty.

Security program assessments compare existing security controls against a standard framework such as the NIST Cyber Security Framework, ISO 270001, or CIS Controls. Each framework has a list of security controls that an organization needs to meet in order to be compliant. Common controls include:

  • Strong passwords.
  • Multi-factor authentication (MFA).
  • Segmentation.
  • Firewall implementation.

Security program assessments aid an organization in evaluating what is working well and where the gaps are for an organization.

Utilizing a well-known security framework, rather than a vendor-based framework, enables your organization to select the vendor it prefers instead of becoming vendor-locked. Perhaps your chosen framework recommends MFA implementation. Your security team can pick whatever MFA solution best suits your environment, not one linked to a specific vendor. It is the same for other security tools like network security solutions, firewalls, and malware protection. Similar to a compliance assessment, a program assessment does not test security protocols or pinpoint vulnerabilities; it determines if the controls are implemented or not and provides a gap analysis.

Read More: Cybersecurity in 2023: The MOVEit data breach and regulatory responses

The zero-trust readiness assessment is a new assessment that determines how well an organization meets the NIST Zero Trust Architecture framework. OnX customized this assessment for customers working with the U.S. federal government and following this specific framework.

Moving to a zero-trust framework means implementing an architecture that complies with this standard framework. The U.S. government is moving toward zero trust implementation across all branches and departments (following Executive Order 14028). Companies with contracts with the U.S. must apply zero trust principals to their environments to stay aligned. However, other organizations not directly related to the U.S. government can reap the security benefits of a zero-trust architecture as well.

Read more: The fundamentals of SASE and zero trust security

Prioritizing security assessments

Determining where to start by assessing and quantifying risks can be a challenge. The questions below can point you in the right direction:

Where are you in your cybersecurity journey?

Organizations just beginning to implement cybersecurity will want to start with a security assessment. Similar to an annual physical, the security assessment provides a picture of overall health, documenting what is going well and what issues need to be addressed.

Companies with more mature security programs will want to test their existing security controls and cybersecurity posture. For these organizations, start with a penetration test. Certain regulations like FTC Safeguards now require yearly penetration tests, so your organization may already be familiar with this process.

Is your organization subject to compliance regulations?

If yes, a security program assessment against one of the regulatory frameworks (HIPAA, zero trust, PCI DSS, etc.) that apply to your business would be a high priority. This assessment will highlight gaps between your organization’s security controls and the standard, but before you engage an auditor. Compliance assessments are more affordable than an audit, so scheduling one before hiring an auditor is a good idea. That way, you can confirm that the proper controls are in place.

Are you required to conduct annual pen tests?

Several regulatory bodies require yearly penetration tests. If this applies to your organization, this is a great place to start assessing risk. If a pen test uncovers previously unknown vulnerabilities, you can follow up with a vulnerability or security assessment to gain greater visibility into threats facing your environment.

How well does your organization understand security risks?

Has your organization quantified and documented its cybersecurity risks? If not, you should do that to get a clear picture of the risks to your environment. In this case, you could enlist OnX to conduct a security risk assessment to pinpoint, assess, and document specific vulnerabilities and risks to your organization. Once your organization understands the risks, prioritizing security actions and further testing will become much more manageable.

Cybersecurity guidance and support

Pen testing, vulnerability assessments, risk assessments, compliance evaluations, and security program assessments all provide valuable insights and intelligence into your environment. Prioritizing and selecting the right timing and cadence of security risk assessments depends on your company’s specific security objectives and compliance requirements. Security assessments are essential for ensuring your security posture is up-to-date and bolstered against the latest threats.

Get in touch with one of our cybersecurity experts to learn more about security assessments.