The Anatomy of a Vulnerability Assessment Questionnaire

As technology has advanced rapidly in recent years, the information technology infrastructures  that companies rely upon have become more automated and interwoven than ever. While much of this progress has been good for business – and the world as a whole – it has also exposed new cybersecurity vulnerabilities.

Identifying and then addressing these weak points is a critical part of any Cybersecurity Maturity Assessment. To find these softsports you must first conduct a vulnerability assessment questionnaire. When done correctly, it can arm you and your cybersecurity partner with all of the pertinent information you need to bolster your cybersecurity defenses.

What does a security risk assessment questionnaire entail? Let’s review.

 

What is a Vulnerability Assessment? 

A vulnerability assessment is the process of identifying, classifying, and then prioritizing security exposures within your IT infrastructure. It involves five primary steps:

1. Vulnerability identification – Assess your networks, penetration tests results, firewall logs, and vulnerability scans to identify weak points. The questionnaire takes place in this initial stage.
2. Vulnerability analysis – Determine whether the vulnerabilities are exploitable. Then classify the severity of the exploit to understand your total risk.
3. Risk assessment – Find out which vulnerabilities need to be mitigated or remediated by order of severity.
4. Remediation – Apply new processes and update software or hardware.
5. Mitigation – Take countermeasures and determine how to quantify their efficacy.

While it may seem a complicated process, it’s a common security measure that can help your organization gain a clear perspective on your:

• IT infrastructure
• Specific security flaws
• Overall risk profile

Armed with this information, you can take the steps necessary to protect both your systems, network and private data from budding cyberthreats.

 

Types of Vulnerability Assessments

There are a variety of different types of vulnerability assessments. Each has its own specific purpose, with some being better suited to your specific IT environment than others. Or, you may perform all of the assessments to paint a more rigorous picture of your cybersecurity profile.

The most common assessments include:

• Network-based assessment – This highlights network security problems and works to detect vulnerable systems (whether they’re on a wired network or wireless).
• Wireless network assessment – This scans WiFi networks and specific attack vectors within a wireless network’s infrastructure. It affirms that your network is properly configured to thwart unauthorized users from gaining access.
• Host-based assessment – This spotlights vulnerabilities on internal equipment, including:
  • Workstations
  • Servers
  • Network hosts

It analyzes open ports to see whether the configuration settings and patch management    are up to par.

• Application assessment – This identifies vulnerabilities within web applications and their source code. Typically, this is done by analyzing the source code or utilizing automated vulnerability scanning tools.
• Database assessment – This designates vulnerabilities and misconfigurations, and classifies sensitive data environments.

 

Assess your cybersecurity

 

What is a Security Assessment Questionnaire? 

A vulnerability assessment questionnaire will vary depending on the source. The specific questions may change, but the generalized topics, questions, and goals will likely be similar.

The questionnaire is one of the first critical steps to any cybersecurity maturity assessment. It provides a security team with the information they need to have a better understanding of:

• What your business does
• What you hope to accomplish
• Your specific risks or areas you worry about

The answers to these questions empower a cybersecurity auditing team to be purposeful as they go about the process of assessing your strengths and weaknesses.

So, what are some of the topics you can expect from an assessment questionnaire?

Identify the Core Mission(s)  

To properly assess your vulnerabilities and protect your critical infrastructure it’s important to know and define your mission.

The primary question here is: what do you hope to accomplish?

The answer to this (and future) questions should be discussed and agreed upon by a chosen executive management team. Typically, this includes a project leader and then experts well-versed on the following aspects of IT:

• Personnel security and training
• Mainframes
• Database management systems
• Telecommunications
• Information security
• Networks

Your end goals can be used by the audit team as a bellwether to guide and inform their actions.

 

Provide General Audit Information 

You’ll inevitably be asked specifics about the assessment itself. Likely questions include:

• What type(s) of assessments do you wish to perform?
• Would you like to perform compliance, physical, or enterprise assessment?
  • If compliance, with what regulations?
• What machines will be looked at? Provide all relevant information, including:
  • IP address
  • OS
  • Machine names
• Is your organization subject to specific regulatory requirements?

The answers to these (and similar) questions will be used as a staging point going forward.

 

Denote Your Business Processes 

It’s critical that your team has a deep understanding of your business processes, particularly those that are critical to compliance and customer privacy.

An IT team can’t do this on their own. It requires collaboration between IT and the various representatives of your organization. Allow your task force to assess the various business processes and see what infrastructure they rely on.

The goal of this is to see how processes are accomplished and what threats that exposes each one to. You can then leverage this knowledge to rank the processes in terms of mission criticality and sensitivity.

 

Discuss Your Threat Profile 

The next round of questions will touch upon your threat environment. Typically, you’ll be required to identify your threat(s), the likelihood of each one occurring, and the impact one could have on your business.

There are five primary threats that most any organization faces to some degree or another:

• Cyberattack – Hackers may seek to interfere with your services, break-in to your network or systems, or leverage a security gap to pivot into other systems. According to the Ponemon Institute, this is the most frequent and expensive type of cybersecurity threat any business will face.
• Unauthorized access to system or data – Employees with valid access or individuals with stolen credentials may try to access unauthorized systems or data that they shouldn’t. This could either be the result of a malicious insider or an accidental insider.
• Human errors – Whether it’s user, maintenance, or operation, there are dozens of mistakes an employee could make that expose your business to risk. Every person involved in your operation represents a potential threat and must be accounted for.
• System failures – All equipment inevitably breaks down or fails, given time. It’s important to take stock of and maintain your hardware, software, power, A/C, and communication systems.
• Natural disasters – Any domestic or environmental disaster could cause a sudden disruption of your services. Depending on the location of your business, you may be at risk for losing critical assets due to environmental events.

Awareness of the specific threats you face can play a significant role in the development of a strategic plan to prevent them from having an outsized impact on your operations, even were they to occur.

 

List your Organizational Structure and Customers

It’s important to always consider the impact that employees can have on your overall security profile.

Often, your success or failure may come down to just one person doing their job correctly. Like with your equipment or facilities, an individual can represent a single point of failure capable of completely exposing your organization to cyberthreats.

Questions might include:

• Who are personnel in key positions within the company?
• Which personnel have critical skills that make them difficult to replace?
• Which people are involved with each core process? What is their role?

The reason for this line of questioning is to see whether or not you have a sufficient number of trained staff necessary to safely and securely handle core processes within the threat environment.

 

Identify Facilities 

Your organization likely has one if not multiple facilities that it relies on to support core processes. They could be owned and operated by your business or outsourced and managed by a third party.

The goal of this is to determine the impact the loss of one of your core facilities would have on your core mission functions. This could apply to an individual facility or multiple linked facilities.

Map Out IT Architecture 

An essential task of a vulnerability assessment questionnaire is to clearly identify every network, hardware, software, and cloud-based IT asset under your control. You may be asked to present or attach network diagrams that include relevant systems and environments. They should highlight network segmentation and access controls.

Things you may be asked to consider include:

• Hardware – What hardware supports applications and data?
  • What are the servers (virtual and physical) that run mission-critical apps?
  • What are the data storage devices that hold mission-critical and sensitive data?
• Applications – What applications and data are necessary for mission-critical processes to run?
• Data sources – Where is sensitive data accessed and stored? Per Sirius Edge, “While some data may reside in a static location, the overwhelming majority will exist and interact in an ecosystem of devices and information pathways. Collectively, these devices often contain the most recent, sensitive data your organization possesses.”
• Infrastructure that connects hardware – What are the routers and network devices that applications and hardware rely on to perform their tasks?

By understanding where data is kept and how it moves from A to B, you can take the necessary steps to protect it.

 

Consider Logical Access 

Next, it’s important to consider the tools and protocols used to identify, authenticate and account for computer information system access. Ideally, you’ll already have a formal access authorization process that’s based on least privilege and need-to-know status.

Key factors you may be asked to review include:

• Identity and access management – How are systems and applications configured to ensure that only authorized individuals have access?
  • Do you use unique IDs and passwords? Two factor authentication?
  • Is there a list of authorized users with access to OS?
  • Is access to source application code restricted?
  • Is software installation restricted for servers and workstations?
• Identity management – Do users have uniquely identifiable IDs?
• Entitlement reviews – Are there processes in place to review user accounts and their access?

 

Delve Into Your Security Processes 

An audit team needs to know what security processes are already in place to determine what is working and what isn’t. Categories include:

• Personnel security – What steps does your organization take to ensure that personnel are screened, trained, and monitored?
  • Do you perform background checks to verify their credentials, work history, and criminal history?
  • Are your employees asked to sign non-disclosure agreements?
  • Do you have processes in place to handle an employee termination or transfer?
    • Are equipment and ID badges returned, logins disabled, passwords reset?

 

• Physical security – Do you have controls in place to prevent individuals from accessing facilities without authorization?
  • How do you control physical access authorization?
  • Who is in charge of ensuring that only the right people have access?
  • What policies or procedures are in place to document repairs and changes to physical security features?

 

• Network security – Are networks and applications controlled?
  • Are networks and applications separated?
  • Are systems and networks that host, process, and transmit sensitive client data segmented off?
  • Is sensitive information encrypted when sent to external recipients?
  • Are vulnerability scans and assessments performed on a periodic basis?
  • Does your team monitor, review, and grant access to authorized third parties?

These are just a few of the questions that may arise, but they encapsulate the ethos of your security processes.

 

Prepare for a Vulnerability Assessment with RSI Security  

A security assessment questionnaire readies both your organization and your cybersecurity partner to perform a meaningful cybersecurity maturity assessment of your IT environment.

The questionnaire could be a high-level overview of your operations or a deep dive into the ins and outs of your IT environment. There could be dozens of questions, or hundreds. It depends on your circumstances, goals, and security partner. Regardless, it helps to prepare everyone in your organization for what’s to come.

But where do you go if you need to perform a vulnerability assessment?

RSI Security is the answer. 

In a complex and volatile technology environment, the threats you face may constantly change thanks to new technologies opening up new vulnerabilities. At RSI security, we specialize in all things cybersecurity, making us the ideal security program advisors. Let us conduct your cybersecurity maturity assessment. Together, we’ll ensure that your business is protected from cyberthreats.