Of course I need to be compliant and my procedures have to match my policies... but Redspin also makes sure my vendors have actually implemented things correctly & securely... the way I was promised."

Redspin Customer

Overview Penetration Testing (Infrastructure)

Policies and Controls Testing

HIPAA/HITECH FFIEC/GLBA PCI DSS NERC CIP Technical Virtualization

Application Penetration Testing Social Engineering Advanced Persistent Threat (APT) Assessment Enterprise Solution

Request more information

Call us at 1-800-721-9177

Chat (we're super friendly) Email us Read our blog

Policies and Controls Testing

Redspin's Internal Controls Security Assessment has been designed to provide third-party objective testing of your organization's internal control environment to support and strengthen your Information Security Program (ISP) and improve management's overall knowledge of risk.

Redspin has developed multiple controls testing services based on both industry standards as well as Redspin's proprietary standards. These standards share the same methodology but differ in the exact scope of controls reviewed. To understand the role this type of testing plays in your environment, please review the Risk Management section below. This is followed by a description of our methodology and a brief description of each scope of work.

Risk Management

Redspin has simplified the traditional Risk Management Framework (Figure 1) into three primary steps:

Identify the risk.

Mitigate the risk.

Assess security controls.

This continuous process starts with identifying the current risk within your environment, often by performing an internal risk assessment, which results in defining and documenting controls (in the form of policies) to mitigate the known risk. This is followed by implementing documented controls, often involving new software, hardware, and procedures. Lastly, once controls have been implemented, they must be tested and monitored on a regular basis to ensure they are operating as expected. As the environment changes, the cycle repeats to identify new risk, implement new controls, and continue testing to ensure risk levels are mitigated as expected.

Risk Management Framework - Security Life Cycle

Figure 1. Formal Risk Management Program (NIST SP800-39)

For an organization with little management oversight of their ISP, limited documentation, and minimal past testing of internal controls, this assessment is part of the first step, identifying the risk. In this case, the goal of the assessment is to serve as the initial baseline to help identify current vulnerabilities and associated risk that the organization will use to build their Risk Management Program. The output in this case is not a list of policies, but rather a list of vulnerabilities that will be used as an input into the risk assessment process. In lieu of existing documented controls, a gap analysis is performed between implemented controls and best practices.

For those organizations with an established ISP, this assessment falls into the third step, assessing security controls. In this case, the goal of the assessment is to serve as the testing component of previously identified and implemented mitigating controls of known risk. The focus here is less on identifying unknown areas of risk, but rather, identifying control failures that expose the organization to greater risk than previously believed.

Methodology

Regardless of the role this assessment fills, the methodology employed is consistent. The assessment begins with onsite testing by our security engineering team that involves data collection in the form of interviews, observation, credentialed domain access, reviewing device configurations, capturing network traffic flows, and reviewing documented policies and procedures. This is followed by off-site analysis and concludes with the reporting phase.

Throughout the entire project, an iterative process of discovery and analysis occurs as information is gathered and more knowledge of the system as a whole helps build a context for further evaluation.

The work flow roughly follows these steps:

Logical network and system analysis
Business process analysis
Identification of existing controls
Control analysis
Recommendations

Scope Please select the scope below that most closely matches your control environment: Industry Standards

HIPAA Risk Analysis

This scope of work is appropriate for healthcare organizations that are responsible for protecting electronic protected health information.

FFIEC Internal Security Assessment

This scope of work is appropriate for financial institutions that are responsible for protecting their client's nonpublic information.

PCI DSS Gap Analysis

This scope of work is appropriate for institutions that are responsible for protecting cardholder information.

NERC Cyber Security Assessment

This scope of work is appropriate for energy providers that connect to and are responsible for protecting bulk electric systems.

Redspin Standards

Technical Internal Security Assessment

This scope of work is appropriate for institutions that have never performed an internal security assessment or are looking for an in-depth review of technical controls to complement existing non-technical testing.

Virtualization Internal Security Assessment

This scope of work is appropriate for institutions that have recently deployed a virtualized environment or rely on a virtualized system to support critical business functions.

Other

If one of our standard scopes do not fully address your testing requirements, send us your requirements and we will custom tailor an assessment for your environment.