More

    10-Step Security and Vulnerability Assessment Plan

    A security assessment is conducted to determine the degree to which information system security controls are correctly implemented, whether they are operating as intended, and whether they are producing the desired level of security. A vulnerability assessment is conducted to determine the weaknesses inherent in the information systems that could be exploited leading to information system breach. Without security and vulnerability assessments, the potential exists that information systems may not be as secure as intended or desired.

    A security assessment policy should apply to all information systems and information system components of a given company. Specifically, it includes:

    • Mainframes, servers and other devices that provide centralized computing capabilities.
    • SAN, NAS and other devices that provide centralized storage capabilities.
    • Desktops, laptops and other devices that provide distributed computing capabilities.
    • Routers, switches and other devices that provide network capabilities.
    • Firewalls, IDP sensors and other devices that provide dedicated security capabilities.

    Security and vulnerability assessments should be performed against all information systems on a pre-determined, regularly scheduled basis. While both security and vulnerability assessments may be performed by internal staff on an on-going basis, it is recommended that third parties should be retained periodically to ensure appropriate levels of coverage and oversight.

    Info-Tech Research Group has developed the following outline for conducting a thorough assessment.  You can also download their Security Assessment Policy at no cost from the IT Business Edge Knowledge Network.

    10-Step Security and Vulnerability Assessment Plan - slide 1

    Security and Vulnerability Assessment

    Click through for a 10-step security and vulnerability assessment plan outlined by Info-Tech Research Group.

    10-Step Security and Vulnerability Assessment Plan - slide 2

    Determine the scope of assessments to be performed.

    10-Step Security and Vulnerability Assessment Plan - slide 3

    Establish a prioritized assessment schedule.

    10-Step Security and Vulnerability Assessment Plan - slide 4

    Identify and gather required skills and tools.

    10-Step Security and Vulnerability Assessment Plan - slide 5

    Create an assessment implementation plan.

    10-Step Security and Vulnerability Assessment Plan - slide 6

    Review system documentation, including system configuration documents and system log files, to determine expected security configuration and capabilities of the system.

    10-Step Security and Vulnerability Assessment Plan - slide 7

    Identify and analyze the target system through investigative techniques that include network foot-printing, port and service scanning, and vulnerability assessment.

    10-Step Security and Vulnerability Assessment Plan - slide 8

    Validate vulnerabilities that may be discovered through techniques that include penetration testing, password cracking and social engineering.

    10-Step Security and Vulnerability Assessment Plan - slide 9

    Review validated assessment findings to determine the risk and cost impact on the organization.

    10-Step Security and Vulnerability Assessment Plan - slide 10

    Create a final report outlining the findings of the assessment.

    10-Step Security and Vulnerability Assessment Plan - slide 11

    Violations of any of the constraints of the established policies or procedures should be considered a security breach and, depending on the nature of the violation, various sanctions need to be taken. Such action may include a written reprimand for a minor breach, suspension for multiple minor breaches or a major breach, or termination for multiple major breaches.

    Latest Articles