Gathering and then sharing your own assessment data will focus your assessment partner and allow for real business value from the engagement.Without self-assessment, you may be paying for information you already have or can easily obtain for free.
Getting more value out of your third party assessment
- Ask yourself, where is my business-critical data and which systems house it?
- Choose a security framework or use one forced upon you via compliance and read it, in its entirety. I recommend CIS 20 Critical Security Controls and NIST 800-171 as they are effective and not overwhelming.
- Next, go down the list of technical controls and put a check next to those in which you have invested.
- After the checklist, if they exist, review the policies and procedures associated with the technical controls, e.g. information security policy, asset management, access control, etc.
- Share your information with the third party assessor.
You now have a sense of where you stand in relation to which controls are in place around your important data. You also know which controls are not in place. The self-assessment is critical in setting the scope and expectations of the third party security review.
Passing this information on to your assessor will increase the business value of an assessment. The assessor will be able to focus on identifying how existing systems can be more effective and how attackers can bypass the controls you have in place. Accessors will also be able to know where the business-critical information resides, and can identify high risks to the organization. This will enable them to provide you with a prioritized list of actionable information to improve your security posture.