FRSecure Assessment Methodology
This is an abbreviated version of our full methodology. Please Contact us for our full methodology or to request a quote.
Scope
A full FRSecure Information Security Assessment is comprised of five phases:
- Phase 1 - Administrative Security Controls Assessment
- Phase 2 - Physical Security Controls Assessment
- Phase 3 - Internal Network Security Assessment
- Phase 4 - External Network Security Assessment
- Phase 5 - Application Security Assessment (where applicable)
Phase 1 - Administrative Security Controls Assessment
This phase, Administrative Security Controls Assessment consists of a thorough review of the administrative controls employed by the organization. Administrative security controls are those controls meant to govern the behaviors of people.
Common administrative security controls found is organizations are:
- Policies
- Standards
- Procedures
- Training
- Awareness
Phase 2 - Physical Security Controls Assessment
Phase 2 of the FRSecure Information Security Assessment is a review of physical security controls. Physical security controls are commonly referred to as those controls which can be touched.
Phase 3 - Internal Network Security Assessment
The Internal Network Security Assessment consists of:
- A network architecture and practices review; documented in the Network Overview section of this document, and
- A vulnerability scanning and analysis exercise. Vulnerability scanning and analysis are used to determine the number and impact of potentially significant technical vulnerabilities in the environment.
Phase 4 - External Network Security Assessment
The primary objective of the External Network Security Assessment exercise is to identify significant vulnerabilities that pose a risk to unauthorized information disclosure, alteration, and/or destruction through publicly accessible* information resources.
*Publicly accessible is defined as those resources which are purposefully or accidentally made available through the Internet.
Phase 5 - Application Security Assessment (where applicable)
Phase 5 of the FRSecure Information Security Assessment is optional, depending upon whether or not the organization participates in application development or if the organization contracts with third-party application developers to create software used by the organization.
Phase 5 is focused on the following four areas of application security:
- Application Purpose and Architecture
- Application Development and Testing
- Application Level User Management Practices
- Business Continuity Management
Process
On a high-level, the assessment process is comprised of five steps:
- Planning and Coordination - planning timelines, resource constraints, and activities.
- Information gathering - a combination or remote and onsite information gathering used to justify risk findings and ratings.
- Organization and comparison - pairing thousands of pages of information into manageable "chunks" and comparing against well-known industry standards/practices*.
- Analysis and quantification - analysis of control gaps (coverage, quality, functionality, etc.) and quantification of associated risks
- Translation and communication - translation of risks into grading, risk prioritization, generate recommendations, and produce reports.
*Information gathered during the assessment is compared against well-known industry standards such as those found in ISO 27002 (17799:2005), NIST, and others.
Deliverables
The primary purpose of the assessment deliverables is to communicate the findings and recommendations to relevant parties.
Deliverables include:
- Information Security Assessment Executive Summary Report - a high-level overview of the assessment process, findings, and recommendations.
- Information Security Assessment Full Report - an in-depth report that details the assessment process, all findings, all recommendations, and action plan.
Sample deliverables are available upon request.
This is an abbreviated version of our full methodology. Please Contact us for our full methodology or to request a quote.
