How to Accurately Define the Scope of an Information Security Assessment

by Sarah Harvey / September 26th, 2017

In this session of Duo’s webinar series, A Comprehensive Security Roadmap for MSPs, Joseph Kirkpatrick presents best practices for defining and reducing the scope of an information security assessment.

Scoping involves the identification of people, processes, and technologies that interact with, or could otherwise impact, the security of the information to be protected. Scoping is the first step for any assessment and also one of the most important elements of an information security assessment because ignoring any of the relevant people, processes, or technologies could severely impact the quality and reliability of the entire assessment.

When considering people that could be in scope, you must ask: Who connects to the environment? Executives, IT, 3rd parties, programmers? These people must abide by policies and adhere to requirements. When determining processes that could impact the security of protected information, you must ask: Is there a process that involves someone doing a daily backup for you? A cloud provider or company coming onsite to pick up backup media? A remote data center with remote hands service to perform a process for you? Finally, what technologies are in scope? You must identify all systems in scope, like web, database servers, firewalls, switches, authentication services, log servers, etc.

Managed Service Providers are often hesitant to consider themselves as in-scope. To be considered out of scope, a system component must not have access to any system within the network containing sensitive data. Questions we commonly ask MSPs are:

  • Could the MSP impact the security of the systems that do access sensitive information?
  • Does the MSP install new patches and review logs produced by the system?
  • Does the MSP’s access to the systems require administrative-level privileges?
  • Even if there are firewalls between one system and the next, what ports are available for the MSP to connect to in order to manage the network?
  • Even if the MSP connects over a VPN and all traffic is encrypted, doesn’t the MSP become part of the client’s network?
  • If a user is now connected to the network and is considered in scope, what else is in scope?

The key to accurately defining the scope of an information security assessment is to be thorough in assessing the people, processes, and technologies that interact with, or could impact the security of, the information to be protected. Listen to the full webinar to hear case studies and more details from Joseph Kirkpatrick.

About Duo Security

Duo Security is a cloud-based Trusted Access provider protecting thousands of the world’s largest and fastest-growing organizations, including Dresser-Rand Group, Etsy, Facebook, K-Swiss, Paramount Pictures, Random House, SuddenLink, Toyota, Yelp, Zillow, and more. Duo Security’s innovative and easy-to-use technology can be quickly deployed to protect users, data, and applications from breaches, credential theft, and account takeover. The Ann Arbor, Michigan-based company also has offices in San Mateo, California; Austin, Texas; and London. Duo Security is backed by Benchmark, Google Ventures, Radar Partners, Redpoint Ventures, and True Ventures. Try it for free at