Are your systems protected against hackers? Are you sure? How do you know? Do you have a security policy, which specifies precisely which control measures should be taken to mitigate risks? In our experience, the number of organizations that actually have a high-level security policy is increasing. However in most cases the policy is a general baseline that is not based on an actual risk assessment. In some organizations this high level policy is actually implemented in some major processes, procedures and systems. However we also come across a large number of organizations that either do not have security policy or this policy is not followed by people and not properly implemented in technology.
| A legal hack measures the overall result of the security process within your organization and gives you a clear answer about the current state of the IT security. It gives the definite answer to the question whether your security policy is effective. It gives clear pointers as to where improvement steps should be implemented. There are also organizations that do not have a security policy yet and rely on the education and experience of their system managers to implement the right control measures. In this case the risks identified during a legal hack can be used as a first step towards an effective security policy. In general a legal hack should take place at least once a year. In case of major changes in your network a legal hack is |
How can IT security be improved? Most improvement processes consist of a cyclic model in which measurement plays a crucial part. The "Information security management systems" (BS7799 Part 2) uses a generic improvement model that consists of 4 steps: Plan, Do, Check, Act.
First of all, a security policy is defined based on a risk assessment or a general baseline as for instance the "Code of practice" (BS7799 Part 1) [1]. This policy is detailed and implemented in specific procedures and system. Finally it should be checked whether the policy results in effective security control measures. If the outcome of the check is different from the desired security level specified in the security policy then either the policy should be changed or the implementation should be improved. A legal hack is a tool that can be used in the check step of the improvement model. As already stated the cycle can also be started using the results of an initial legal hack as a first step towards an effective security policy and as a basis to measure improvement. The results of a legal hack that is done by an independent third party can be an excellent tool justifying expenditure on improving IT security.