Information Security Assessments
Integral to any Information Security Management System (ISMS) is the process of “assessing” the control environment to understand where control gaps may be leaving the organization at unacceptable risk. PPS’s Information Security Assessment activities generally fall into one (or more) of the following types:
- Design Assessment activities which evaluate the appropriateness of controls by comparing the control design against the client’s control objectives, industry good practice, laws/regulations, and/or the auditor’s professional judgment (e.g., an Application Architecture Review).
- Compliance Assessment activities which validate that the control measures established are working as designed, consistently, and continuously (e.g., a Password Audit).
- Substantiative Assessment activities that provide assurance that the “net” control objectives are being achieved, and where they are not, provide a measure of probability and business impact (e.g., a Penetration Test).
- Shared Assessments Program was created by leading financial institutions, accounting firms, and key service providers to inject standardization, consistency, speed, efficiency and cost savings into the vendor risk assessment process.
Representative services are detailed below. However, the ideal information assurance activities for your organization may be as unique as the specific Information Security risks you face. Because we work with you, we can tailor services to meet your specific needs.
Application Source Code Scanning: Provides a fully automated mechanism to identify potential security vulnerabilities in the source code of an application. By identifying coding flaws and design errors that put data and operations at risk prior to deployment, source code scanning is an integral part of a comprehensive Application Security program.
Read more on Application Source Code Scanning
Application Security Code Review: The manual review of source code with the developers to identify source code-level issues that may enable an attacker to compromise an application, system, or business functionality. Security Code Reviews are always focused on particularly high-risk areas of the code as they are manually intensive and expensive.
Read more on Application Security Code Review
Network Architecture Review: A review and analysis of relevant network artifacts (e.g. network diagrams, security requirements, technology inventory, DMZ ) to identify how the network architecture and controls protect critical assets, sensitive data stores and business-critical interconnections in accordance with the organization’s business and security objectives.
Read more on Network Architecture Review
Active Directory: An organization’s Active Directory Services provide the literal “keys to the kingdom,” and as such, any directory vulnerabilities can instantly denigrate the security of the entire organization, as once sufficient privilege is acquired, a malicious user can control access to every information and IT asset protected by the directory.
Read more on Active Directory
Firewall Assessment: When managing a Firewall – The highest possible level of assurance is to be able to know exactly what access is, and is not, allowed throughout your infrastructure. A comprehensive review of all packet filtering devices in your network is the best mechanism to obtain this level of assurance.
Read more on Firewall Assessment
Configuration/Change Management Review: Effectively managing the never-ending changes necessitated by changing business conditions is a challenge for virtually every organization. Managing the configuration means providing reasonable assurance that the potentially significant risk resulting from these changes is fully managed as well. Configuration/change management reviews are intended to provide management with assurance that critical change management processes are in place and operating as intended.
Read more on Configuration/Change Management Review
Database Architecture Review: A review and analysis of relevant database artifacts (e.g., requirements, database security requirements, application security requirements for applications leveraging the database) to identify how the database architecture, technologies enabled, and configuration, protects critical assets, sensitive data stores and business critical interconnections in accordance with the organizations business and security objectives.
Read more on Database Architecture Review
Database Operational Assessment: Only by a thorough review of the critical processes governing the operation of a database can we have assurance that the confidentiality of the data it processes is protected, the integrity of the data it maintains is enforced, and the availability of the data it transits is ensured. Operational Audits are the most effective mechanism to provide this assurance.
Read more on Database Operational Assessment
Security Code Review: The manual review of stored procedures with the database developers to identify source code-level issues that may enable an attacker to compromise the database. Security Code Reviews are always focused on particularly high-risk areas of the code as they are manually intensive and expensive.
Read more on Security Code Review
Security Certification and Accreditation (SC&A)
Security Certification and Accreditation (SC&A): A formal defined process designed to “certify” that an information system meets documented security requirements before the information system is “accredited” into operations (e.g., goes live). It incorporates mechanisms to ensure that the information system will continue to maintain the accredited security posture throughout the system life cycle. Responsibility and accountability are core principles that characterize security accreditation, as the “accreditor” accepts responsibility for the security of the system and any adverse impacts to the entity if a breach of security occurs.
Read more on Security Certification and Accreditation