An Information Security Assessment (ISA) assess an organization from the inside out utilizing technical testing with best-practices reviews of infrastructure and configurations to provide a comprehensive view of the current state of security controls on the network. An ISA is broader in scope than a traditional Pen or App test allowing a more enterprise wide security assessment by examining people, processes, and technology. The ISA is made up of a collection of different testing options allowing customers to create an offering that best fits their specific security needs. Upon completion of the testing an organization should have a solid understanding of where their gaps are from an overall security management perspective.

The Internal Security Assessment is not a simple automated vulnerability scan, but rather a comprehensive evaluation of security controls in place against best practices and can include:

• Architecture Review
• Policy Reviews
• Network/Host/Database Testing
• Technical Controls Review (firewall/router/AV/IPS configuration reviews)
• Wireless Testing
• War Dialing
• VOIP Assessments
• Virtual Server Security Testing
• Social Engineering
• Physical Security Testing

Service Summary

• A comprehensive evaluation of the network security architecture against best practices
• Evaluation of the current technical security mechanisms and controls
• Tests all levels of the enterprise
• Detailed recommendations to reduce risks
• Business analysis provides executive perspective

Methodology

Clear Skies’ methodology for an Internal Security Assessment (ISA) offers maximum flexibility to the client to customize a security assessment specific to their critical business risks. The goal of the assessment is to identify overall security risks across the enterprise, from the inside out. Given this additional level of insider access Clear Skies consultants have the opportunity to examine additional components of the enterprise not normally available during a standard remote assessment, such as reviewing actual configuration files. Additionally, the ISA takes a more comprehensive enterprise look by also looking at non-technical controls like policy, physical security, and social engineering vulnerabilities.

The overall project begins with the consultants understanding the existing security controls through examination of the architecture and a technical controls review. Next, all in scope areas of the enterprise are examined for technical vulnerabilities to include network devices, operating systems, standard applications, and database systems.

All of the technical vulnerabilities are then compared to the information gathered during the controls review. This is a critical phase of the project as it ensures that true risk ratings are provided based on the existing preventive measures and not just standard vulnerability ratings. The final deliverable combines all of the findings to provide vulnerability risk ratings customized to the environment, but also strives to acknowledge all of the positive findings that the organization is doing well.