Earn Higher Grades With Instant Assignment Help.Ask Question!

Computer Network
(5/5)

explains the process for requesting an assessment, describes the set of security assessment services that the Information Security Office (ISO) offers to members of the campus community

INSTRUCTIONS TO CANDIDATES
ANSWER ALL QUESTIONS

Information Security Office

Security Assessment Description and Questionnaire

The Information Security Office offers many types of assessments to meet our customer’s needs.  This document explains the process for requesting an assessment, describes the set of security assessment services that the Information Security Office (ISO) offers to members of the campus community and provides a questionnaire that is used to assist in understanding the target environment.  

 

The ISO is not able to assess every possible platform or application.  Nor is it possible for the ISO to meet every timeline requirement.  In those cases, the ISO may contract with external partners to deliver the requested assessment service.  There may be associated costs that will need to be passed along to the requesting organizational unit. 

Process:

The Information Security Office has created a simple process around vulnerability assessments to provide clarity and consistency. The process is outlined below.

 

  1. Contact the ISO (request assessment)
  2. The ISO accepts the project
  3. A questionnaire (later in this document) is completed by the customer
  4. A scoping/kick-off meeting is held
    • The goal of the meeting is to try to determine which type of assessment is appropriate, the scope of the assessment, a timeline and contact information.  The product of the meeting is a Statement of Work that will be agreed upon and signed by both parties.
  1. The assessment is scheduled (projected end date is noted as well)
  2. Assessment is performed during agreed upon times
    • The ISO and the customer will be in contact throughout the process.  Any findings that are deemed urgent (presenting an immediate security risk) would be communicated immediately to the customer.
  1. The assessment report is produced and reviewed by the ISO group
  2. The report is distributed to the customer and a review meeting is scheduled
  3. The wrap-up meeting is held where detailed findings are explained
  4. Both groups sign off on the results

 

Security Assessment Services

In this section, you will find the description of the most common assessment scenarios.  These can be customized in many ways to meet a customer’s needs.  Each type of assessment takes varying amounts of time and is impacted by the number of targets (applications, servers, networks, etc.).  The exact type of assessment should be determined in the “kickoff” meeting.

 

  • Network Based (Attack & Penetration)

Penetration testing includes components of application vulnerability assessment, host vulnerability assessment, and security best practices. This type of test can be performed with or without detailed prior knowledge of the environment.  When it is performed without prior knowledge additional steps will be taken to enumerate hosts and applications and to assess the ease with which any outsider could exploit publicly available information or social engineering to gain unauthorized access.

 

An attack and penetration test will answer questions like:

  • How vulnerable is the network, host, and application(s) to attacks from the internet or intranet?
  • Can an intruder obtain unauthorized access to critical resources?
  • Are social engineering techniques effective?
  • Are operational controls effective?

 

This would involve the ISO acting as an attacker and looking at the system as an outsider.  The ISO would look for:

  • Remotely exploitable vulnerabilities
  • Patch levels (OS and Apps)
  • Unnecessary services
  • Weakness of encryption
  • Weakness of authentication
  •  

 

  • Host Based

This is an assessment of the health and security of given workstation or server.  Automated scanning tools (e.g. Nessus) are the primary vehicle for this type of assessment.  Additional hands-on inspection may also be necessary to assess conformance to security best practice. 

 

This assessment will answer questions like:

  • Is patching up to date?
  • Are unnecessary services running?
  • Are anti-virus/anti-malware signatures up to date?

 

This would involve the ISO acting as a Sys Admin and auditing the system and applications looking for:

  • Locally exploitable vulnerabilities
  • Patch levels (OS and Apps)
  • Access rights
  • Security best practices
  •  

 

  • Application

This is an assessment of the functionality and resilience of the compiled application to known threats.  This assessment focuses on the compiled and installed elements of the entire system: how the application components are deployed, communicate or otherwise interact with both the user and server environments. 

 

Application scanning tools as well as manual testing with and without application credentials are used to perform this assessment. Typically some host, network, and general information security practices are assessed as part an application vulnerability assessment.

 

This assessment will answer questions like:

  • Does the application expose the underlying servers and software to attack
  • Can a malicious user access, modify, or destroy data or services within the system

 

This would involve the ISO auditing an application (typically web based) and looking for vulnerabilities like:

  • SQL Injection
  • Cross Site Scripting
  • Cross Site Request Forgery
  • Improper data sanitization
  • Buffer overflows (limited)
  • Mis-configured/weak authentication
  • Etc.

 

  • Compliance

This would involve the Information Security Office auditing (or assisting in the coordination of an audit if the ISO is not trained to conduct the specific audit) systems for compliance with specific regulations:

  • HIPAA
  • FERPA
  • GLBA
  • PCI

 

Attachments:
(5/5)

Related Questions

CSI 1420 Introduction to C Programming & Unix Fall 2018, CRN 44882, Oakland University Homework Assignment 6 - Using Arrays and Functions in C

DescriptionIn this final assignment, the students will demonstrate their ability to apply two majorconstructs of the C programming language – Fu

The standard path finding involves finding the (shortest) path from an origin to a destination, typically on a map. This is an

Path finding involves finding a path from A to B. Typically we want the path to have certain properties,such as being the shortest or to avoid going t

Develop a program to emulate a purchase transaction at a retail store. This program will have two classes, a LineItem class and a Transaction class. The LineItem class will represent an individual

Develop a program to emulate a purchase transaction at a retail store. Thisprogram will have two classes, a LineItem class and a Transaction class. Th

SeaPort Project series For this set of projects for the course, we wish to simulate some of the aspects of a number of Sea Ports. Here are the classes and their instance variables we wish to define:

1 Project 1 Introduction - the SeaPort Project series For this set of projects for the course, we wish to simulate some of the aspects of a number of

Project 2 Introduction - the SeaPort Project series For this set of projects for the course, we wish to simulate some of the aspects of a number of Sea Ports. Here are the classes and their instance variables we wish to define:

1 Project 2 Introduction - the SeaPort Project series For this set of projects for the course, we wish to simulate some of the aspects of a number of

Ask This Assignment To Be Done By Our ExpertsGet A+ Grade Solution Guaranteed

expert
joyComputer science
(4/5)
12 Answers Hire Me
expert
Robert DLaw
(4.8/5)
630 Answers Hire Me
expert
Dr Samuel BarberaStatistics
(5/5)
552 Answers Hire Me
expert
Tutor For YouEconomics
(5/5)
843 Answers Hire Me