Security Assessments

The role of a security professional includes information security consulting. Consulting includes determining what security controls are in place, identifying control gaps, assisting lines of business (LOB) in assessing risks, and recommending solutions. However, determining controls can often be problematic. As discussed in Chapter 1, knowledge is often dispersed among various teams such as application groups, network group, database group, administrators, and various developers. Collecting and consolidating information is an important skill for any security professional; as shown in Figure 8.1, this includes sifting through documentation, conducting interviews, testing, performing analysis, and eventually producing reports.