Information security is so much more than making sure firewalls and anti-virus are up to date. While these technical controls are important to your overall security plan, they do not tell the whole story.
We have focused recent blog posts on how an S2Score is a comprehensive measurement of risks to information security. Today we are going to dive in to the specifics of what that means.
The S2Score assessment looks for vulnerabilities, weak points and deficiencies in your information security with the ultimate goal of protecting the confidentiality, integrity and availability of information.
What makes an S2Score security assessment comprehensive?
To be truly comprehensive, you need to look at more than just the technical aspects of security, which have to do with hardware and software. To look at the whole picture of information security, three controls need to be considered, and the S2Score assessment looks at all of them:
Technical Controls
Technical controls are what you probably picture first when reviewing information security. These have to do with your IT hardware and software and are divided into two sub-categories: internal and external.
Internal technical controls protect information within your network.
- Firewalls
- Intrusion prevention systems
- Anti-virus software
- Mobile Device Management (MDM)
- Usernames/passwords
- Security logs
- Access controls
- Data encryption
- Search engine indexes
- Domain Name System (DNS)
- Port scanning
- Vulnerability scanning
- Security Operation Centers (SOC)
Administrative Controls
Administrative controls include organizational processes, policies and procedures and the humans behind them who choose, develop, implement and maintain security practices in your environment. People are the biggest weak points in your network, and the more you can educate them and give them standards to adhere to, the more secure your information will be. Administrative controls can include:
- Policies, such as requirements to lock computer screens while unattended
- Awareness training and education
- Guidelines
- Standards
- Procedures, such removing network access during employee offboarding
- Appointed security officers
- Internal audits
- Business continuity plans
- Reporting of security breaches
Physical Controls
Physical controls have to do with your building security. Security measures are useless if your files or servers are physically stolen or destroyed. An S2Score assessment will look at physical controls, such as:
- Locked doors
- Camera surveillance
- Alarm systems
- Backups stored offsite
- Employee ID badges
- Locked file cabinets
- Restriction of employee access to sensitive areas
- Measures to prevent fire and flood damage
By assessing these different control areas with an S2Score, you not only get the most comprehensive look at your information security risk, you also get a comprehensive report and action plan to address any control areas that might be lacking. The size, complexity and function of your organization will determine the extent of the technical, physical and administrative controls you need, as will the type of IT infrastructure you have and your industry’s compliance requirements.
It is common for organizations to spend their budget and time on technical controls, while administrative and physical controls are lacking. This oversight can have dramatic impacts on your security posture. You do not have to be an IT expert to understand the value of each of these controls to your overall information security.
FIND YOUR S2Score ASSESSMENT ESTIMATE NOW
Read Next: Ten Reasons You Need an S2Score
Joe is the Executive Vice President of ITSG at Loffler Companies, and has been part of the Loffler IT leadership team since 2015. He has a deep background in enterprise software with experience spanning the areas of Unified Communications, Workflow Automation, Contact Center, Collaboration and ERP/SCM/WFM. A little known fact? Joe used to be the drummer in a blues band called the Electric Trane.
