Integral to any Information Security Management System (ISMS) is the process of “assessing” the control environment to understand where control gaps may be leaving the organization at unacceptable risk. PPS’s Information Security Assessment activities generally fall into one (or more) of the following types:
- Design Assessment activities which evaluate the appropriateness of controls by comparing the control design against the client’s control objectives, industry good practice, laws/regulations, and/or the auditor’s professional judgment (e.g., an Application Architecture Review).
- Compliance Assessment activities which validate that the control measures established are working as designed, consistently, and continuously (e.g., a Password Audit).
- Substantiative Assessment activities that provide assurance that the “net” control objectives are being achieved, and where they are not, provide a measure of probability and business impact (e.g., a Penetration Test).
Representative services are detailed below. However, the ideal information assurance activities for your organization may be as unique as the specific Information Security risks you face. Because we work with you, we can tailor services to meet your specific needs.
Application Source Code Scanning: Provides a fully automated mechanism to identify potential security vulnerabilities in the source code of an application. By identifying coding flaws and design errors that put data and operations at risk prior to deployment, source code scanning is an integral part of a comprehensive Application Security program.
Read more on Application Source Code Scanning
Application Security Code Review: The manual review of source code with the developers to identify source code-level issues that may enable an attacker to compromise an application, system, or business functionality. Security Code Reviews are always focused on particularly high-risk areas of the code as they are manually intensive and expensive.
Read more on Application Security Code Review
Network Architecture Review: A review and analysis of relevant network artifacts (e.g. network diagrams, security requirements, technology inventory, DMZ ) to identify how the network architecture and controls protect critical assets, sensitive data stores and business-critical interconnections in accordance with the organization’s business and security objectives.
Read more on Network Architecture Review
Active Directory: An organization’s Active Directory Services provide the literal “keys to the kingdom,” and as such, any directory vulnerabilities can instantly denigrate the security of the entire organization, as once sufficient privilege is acquired, a malicious user can control access to every information and IT asset protected by the directory.
Read more on Active Directory
Firewall Assessment: When managing a Firewall – The highest possible level of assurance is to be able to know exactly what access is, and is not, allowed throughout your infrastructure. A comprehensive review of all packet filtering devices in your network is the best mechanism to obtain this level of assurance.
Read more on Firewall Assessment
Configuration/Change Management Review: Effectively managing the never-ending changes necessitated by changing business conditions is a challenge for virtually every organization. Managing the configuration means providing reasonable assurance that the potentially significant risk resulting from these changes is fully managed as well. Configuration/change management reviews are intended to provide management with assurance that critical change management processes are in place and operating as intended.
Read more on Configuration/Change Management Review
Database Architecture Review: A review and analysis of relevant database artifacts (e.g., requirements, database security requirements, application security requirements for applications leveraging the database) to identify how the database architecture, technologies enabled, and configuration, protects critical assets, sensitive data stores and business critical interconnections in accordance with the organizations business and security objectives.
Read more on Database Architecture Review
User Rights Auditing: One of the greatest challenges to ensuring that a database achieves its security objectives is the complexity of managing the various classes of users, roles and privileges associated with the database itself and the myriad of applications it may support. This is further complicated by the importance of comprehensive segregation of duties requirements and the ability to demonstrate the same for compliance with relevant laws and regulations.
Read more on User Rights Auditing
Database Operational Assessment: Only by a thorough review of the critical processes governing the operation of a database can we have assurance that the confidentiality of the data it processes is protected, the integrity of the data it maintains is enforced, and the availability of the data it transits is ensured. Operational Audits are the most effective mechanism to provide this assurance.
Read more on Database Operational Assessment
Security Code Review: The manual review of stored procedures with the database developers to identify source code-level issues that may enable an attacker to compromise the database. Security Code Reviews are always focused on particularly high-risk areas of the code as they are manually intensive and expensive.
Read more on Security Code Review
- Security Certification & Accreditation (SC&A)
Security Certification and Accreditation (SC&A): A formal defined process designed to “certify” that an information system meets documented security requirements before the information system is “accredited” into operations (e.g., goes live). It incorporates mechanisms to ensure that the information system will continue to maintain the accredited security posture throughout the system life cycle. Responsibility and accountability are core principles that characterize security accreditation, as the “accreditor” accepts responsibility for the security of the system and any adverse impacts to the entity if a breach of security occurs.
Read more on Security Certification and Accreditation
- Data Loss Prevention
Data Loss Prevention / Extrusion Testing: Despite increased emphasis on technical controls intended to prevent data breaches of Personally Identifiable Information (PII), Patient Health Information (PHI), Card Holder Data (CHD), and Intellectual Property (IP) – it continues to be a problem. Generally, the emphasis in controlling these types of attacks has been to prevent malicious access into the environment, however, this provides little benefit to a malicious insider or a malicious outsider should they bypass external security mechanisms.
Read more on Data Loss Prevention
- Compliance Assessment
Compliance Assessment: Information Security compliance is the state where your entity is in accordance with established guidelines, specifications, or legislation and is capable of proving it. The complexity grows in direct proportion to the magnitude of the organization and the number of standards the organization is subject to.
Read more on Compliance Assessment
- Service Oriented Architecture
Service Oriented Architecture (SOA): There is a rapid movement to SOA because of the promise it brings for unprecedented levels of agility by allowing the business to respond to rapidly changing forces quickly, easily and with a minimum of risk. SOA can be used to create reusable business services, discover existing business services within and beyond an environment, manage business services throughout their lifecycle, assemble business services to support an end-to-end business process, and deliver the outcome of business services in deployment.
Read more on Service Oriented Architecture