3. Where Is the Agency’s Architecture Obsolete?
Security is constantly changing. The application and network architectures of many agencies are outdated. New approaches such as microsegmentation are old ideas but recently have become the standard in data center design. Find areas where the security ground has shifted, then reconsider and redesign if appropriate.
4. Is This the Forest or the Trees?
Any assessment must probe into the details — so, yes, that security vulnerability in a maintenance scheduling application is important. Much more valuable, however, is knowing the big picture: Where are employees doing a good job, and where must an agency improve its security posture and practices? Listen carefully to what the assessor has to say here.
5. What Can an Agency Do After the Assessment?
A big chunk of the value of assessments comes from the experienced person who interprets the output of some automated tools. That interpretation is what an agency is buying, so make sure there’s a knowledge transfer from the assessor to the governance team to ensure that everyone understands how to keep the enterprise safe between regular assessments, which the agency should continue to receive.