The IT Security Assessment is not a simple automated vulnerability scan, but rather a comprehensive evaluation of security controls in place against best practices and can include:
Clear Skies' methodology for an IT Security Assessment (ISA) offers maximum flexibility to the client to customize a security assessment specific to their critical business risks. The goal of the assessment is to identify overall security risks across the enterprise, from the inside out. Given this additional level of insider access Clear Skies consultants have the opportunity to examine additional components of the enterprise not normally available during a standard remote assessment, such as reviewing actual configuration files. Additionally, the ISA takes a more comprehensive enterprise look by also looking at non-technical controls like policy, physical security, and social engineering vulnerabilities.
The overall project begins with the consultants understanding the existing security controls through examination of the architecture and a technical controls review. Next, all in scope areas of the enterprise are examined for technical vulnerabilities to include network devices, operating systems, standard applications, and database systems.
All of the technical vulnerabilities are then compared to the information gathered during the controls review. This is a critical phase of the project as it ensures that true risk ratings are provided based on the existing preventive measures and not just standard vulnerability ratings. The final deliverable combines all of the findings to provide vulnerability risk ratings customized to the environment, but also strives to acknowledge all of the positive findings that the organization is doing well.