Security Assessment/Vulnerability Assessment

Information Security is an essential function in today’s business environment. Regulations such as SOX, HIPAA, GLB, and CA SB1386/AB1950 are continually raising the bar for corporate security standards. Data such as financial records, employee personal information, client lists and data, proprietary code, email, and web content must be secured to control business risk and maintain compliance.

Having periodic independent security assessments conducted is an IT best practice generally accepted as a required control measure to achieve SOX 404 IT compliance. MindSource's Information Security Assesment services help meet compliance requirements and ensure that corporate information assets are protected from internal and external threats, including viruses, hackers, and employees.

Global Information Security Assessment and Audit (GISAA)

The GISAA is MindSource’s flagship security assessment service and can be described as a combination of the Perimeter, Critical Asset, and Wireless Security Assessment services, as well as an analysis of the current Policies, Procedures and Practices. This comprehensive assessment tackles security of design and implementation of network infrastructure and individual systems and applications. The GISAA addresses not only technical security concerns but also organizational security risks.

The assessment deliverable is a risk-based analysis of corporate information security issues, with prioritized recommendations based on a vulnerability and remediation cost-benefit analysis. The GISAA addresses critical risk issues of operating an information-reliant business and global network.

The various service components are illustrated in the figure below.

MindSource’s Global Information Security Assessment and Audit Landscape

Perimeter Security Assessment (PSA) / Ethical Hacking / Penetration Testing

The PSA is performed offsite and focuses on an external assessment of vulnerabilities that can be exploited on a company’s network as seen from the Internet. This point of view is often termed the “hacker’s perspective.” This assessment may be performed blind, without any preliminary information about a company’s network and includes a Visibility and Exposure Analysis to evaluate a company’s Internet footprint and its susceptibility to attack. Based on the requirements of the client, the scope of the PSA can be modified to include ethical hacking or penetration testing.

Critical Asset Security Assessment (CASA)

The CASA is an onsite internal analysis of the security of critical infrastructure devices such as firewalls, routers, servers, and other mission-critical and shared resources. It goes beyond the PSA by evaluating security of critical applications and devices located behind perimeter defenses. Our experts validate principles of layered security (or defense-in-depth) and assess exposure to attack propagation. By taking a risk-management approach, the report highlights the mst critical vulnerabilities and provides recommendations for remediation.

Wireless Security Assessment (WSA)

Wireless LAN deployments have become standard in corporate network environments; yet, the security of wireless LANs remains substandard. MindSource evaluates the security of wireless LAN deployments to ensure that they do not put the corporate network, and, therefore, highly confidential information, at risk. Our WSA also mitigates risk of rogue wireless access points installed by “resourceful” employees without IT departmental consent. MindSource’s report provides best-practices recommendations for securing wireless LANs.

Policies, Procedures, and Practices Assessment (PPPA)

Based on interviews with management, staff, and employees, MindSource assesses de facto and documented information security policies, procedures, and practices. The responses are compared with written policy and procedure documents to assess the level of compliance. Documentation gaps are identified and remediation efforts defined. The documented and de facto policies and procedures are compared with best practices and regulatory requirements as applicable, including ISO17799, NIST, SOX, HIPAA, and GLB, and a gap analysis and recommendations are provided.