Security Assessments
Development and implementation of a security plan is essential to safeguard your company's data and minimize risks to unintended privacy disclosure. There are many aspects to security and a good place to start is to hire a services company to perform an audit to assess your current risk exposures. Here is a list where by United Force can help you create a security policy and focus on the following areas in our report.
Security Controls
http://en.wikipedia.org/wiki/ISO/IEC_27001
Physical controls e.g. fences, doors, locks and fire extinguishers;
Procedural controls e.g. incident response processes, management oversight, security awareness and training;
Technical controls e.g. user authentication (login) and logical access controls, antivirus software, firewalls;
Legal and regulatory or compliance controls e.g. privacy laws, policies and clauses.
A similar categorization distinguishes control involving people, technology and operations/processes.
Information security controls protect the confidentiality, integrity and/or availability of information (the so-called CIA Triad). Again, some would add further categories such as non-repudiation and accountability, depending on how narrowly or broadly the CIA Triad is defined.
Risk-aware organizations may choose proactively to specify, design, implement, operate and maintain their security controls, usually by assessing the risks and implementing a comprehensive security management framework such as ISO/IEC 27002, the Information Security Forum's Standard of Good Practice for Information Security and NIST SP 800-53 (more below). Organizations may also opt to demonstrate the adequacy of their information security controls by being independently assessed against certification standards such as ISO/IEC 27001.
Risk Management Framework
Assessment methodology phases
Technical assessment techniques
Why do assessment?
Help confirm that systems are properly secured
Identify any organization security requirements that are not met, and other security weaknesses that should be addressed
Meet requirements to periodically assess systems
Specifics to concentrate on.
Examination techniques, generally conducted manually
Evaluate systems, applications, networks, policies, and procedures to discover vulnerabilities
Techniques include
Documentation review
Log review
Ruleset and system configuration review
Network sniffing
File integrity checking
Testing techniques, generally performed using
automated tools
Identify systems, ports, services, and potential vulnerabilities
Techniques include
Network discovery
Network port and service identification
Vulnerability scanning
Wireless scanning
Application security examination