Security assessments should be conducted on a regular basis, and should be included in the strategy. Major international standards include third-party assessments as an important requirement. The goal of assessments is to ensure that necessary and adequate security controls are implemented to protect information assets from unauthorised access, use, disclosure, disruption, modification, recording or destruction.
We, at Forebrook, conduct comprehensive assessments based on best-practices and international standards. In addition to using latest tools for vulnerability assessments, we also check, inspect, observe and analyse information systems in a holistic manner covering technology, people, policies, processes, procedures. As an integral part of assessments, we conduct interviews with individuals and groups in the organisation to understand the infrastructure, security objectives and strategies, and assess security controls for effectiveness and adequacy. Additionally, penetration tests will be conducted for public-facing IPs.
Our Security/Risk Assessments culminate in extensive reports and recommendations for remediation along with roadmaps to implement controls.
A typical assessment covers more than 25 areas including:
- Security Policies
- Data Classification
- Risk Management
- Topology, Data Flow
- Access Control
- VPN/Remote Access
- Network Access Control
- Application Configuration
- Database Configuration
- Change Control
- Patching & Anti-Virus
- Logging / SIEM
- Intrusion Detection
- Physical Security
HOW WE CONDUCT AN ASSESSMENT
Survey and Data Gathering
Consultants will examine all the components in the IT infrastructure and acquire data by:
* Physical survey of data centres
* Interviews with IT staff
* Inspection of systems, configuration data, etc.
All the details collected will be collated and documented. Work products in this phase include:
– Documentation of servers, networks, applications, services, etc.
– Topology and connectivity diagrams
– Server and equipment lists.
Adequacy of controls will be tested against:
* Controls based on standards (PCI-DSS / ISO27001)
* Test nearly controls in various security domains
* Technology assessment: using VA tools
Summary and detailed reports will be compiled that will show the present state of security in the organisation.
Based on the assessment and business requirements, recommendations will be made, which:
– Highlight areas which require immediate action
– Configuration changes or upgrades to systems
– Implementation of controls hitherto not implemented
The assessment will culminate in:
* Presentation of findings
* Discussion of recommendations
* Workshop with tech and admin teams
Summary and detailed reports on the state of security pointing out adequacy of controls implemented.
Gap Analysis Report
Gap analysis against established standards such as ISO27001, PCI etc.
Asset inventory: servers, storage, backup, network equipment, cloud assets.