Careful planning is the first and most important step of any security assessment. While it may be tempting to break out your network security tool kit right away and begin scanning the entire network, this can lead to haphazard information collection and analysis and provide practically no basis for attaining consistent measurable results. Following are the three key steps to proper planning:

Establish a reliable grading system:

How will the assessment results be graded?

Will you use a scale from 1 to 10, a “low, medium, high” vulnerability chart, an academic grade scale or a color-coded scheme?

How many types of vulnerabilities can your resources have and still receive a certain grade level?

Which vulnerabilities are more critical than others?

Grading: Quantifying the results of your assessment is critical, as it gives your assessment process continuity over time and provides key metrics to evaluate how your security improves (or worsens) when new variables (such as a system addition or upgrade) are introduced. For example, you may find that the assessment uncovered five vulnerabilities in your Web server during one assessment, giving it a grade of “6.” Sometime before the next assessment you install an intrusion prevention system (IPS). When you perform a second assessment on that Web server, it uncovers only one vulnerability, qualifying it for a grade of “8.” You can now demonstrably show that your security has improved over time, as well as provide firm management a measurable ROI for your IPS.

Scope: Determining the scope of the assessment is also critical: What resources or information assets are going to be the focus of your assessment? You can choose to make the scope small, such as a specific client portal or one of your Web servers, or you can make it large and choose to assess your entire network.