Redspin has developed multiple controls testing services based on both industry standards as well as Redspin's proprietary standards. These standards share the same methodology but differ in the exact scope of controls reviewed. To understand the role this type of testing plays in your environment, please review the Risk Management section below. This is followed by a description of our methodology and a brief description of each scope of work.
This continuous process starts with identifying the current risk within your environment, often by performing an internal risk assessment, which results in defining and documenting controls (in the form of policies) to mitigate the known risk. This is followed by implementing documented controls, often involving new software, hardware, and procedures. Lastly, once controls have been implemented, they must be tested and monitored on a regular basis to ensure they are operating as expected. As the environment changes, the cycle repeats to identify new risk, implement new controls, and continue testing to ensure risk levels are mitigated as expected.
For an organization with little management oversight of their ISP, limited documentation, and minimal past testing of internal controls, this assessment is part of the first step, identifying the risk. In this case, the goal of the assessment is to serve as the initial baseline to help identify current vulnerabilities and associated risk that the organization will use to build their Risk Management Program. The output in this case is not a list of policies, but rather a list of vulnerabilities that will be used as an input into the risk assessment process. In lieu of existing documented controls, a gap analysis is performed between implemented controls and best practices.
For those organizations with an established ISP, this assessment falls into the third step, assessing security controls. In this case, the goal of the assessment is to serve as the testing component of previously identified and implemented mitigating controls of known risk. The focus here is less on identifying unknown areas of risk, but rather, identifying control failures that expose the organization to greater risk than previously believed.Methodology
Regardless of the role this assessment fills, the methodology employed is consistent. The assessment begins with onsite testing by our security engineering team that involves data collection in the form of interviews, observation, credentialed domain access, reviewing device configurations, capturing network traffic flows, and reviewing documented policies and procedures. This is followed by off-site analysis and concludes with the reporting phase.
Throughout the entire project, an iterative process of discovery and analysis occurs as information is gathered and more knowledge of the system as a whole helps build a context for further evaluation.
This scope of work is appropriate for healthcare organizations that are responsible for protecting electronic protected health information.Read More
This scope of work is appropriate for financial institutions that are responsible for protecting their client's nonpublic information.Read More
This scope of work is appropriate for institutions that are responsible for protecting cardholder information.Read More
This scope of work is appropriate for energy providers that connect to and are responsible for protecting bulk electric systems.Read More
This scope of work is appropriate for institutions that have never performed an internal security assessment or are looking for an in-depth review of technical controls to complement existing non-technical testing.Read More
This scope of work is appropriate for institutions that have recently deployed a virtualized environment or rely on a virtualized system to support critical business functions.Read More
If one of our standard scopes do not fully address your testing requirements, send us your requirements and we will custom tailor an assessment for your environment.Contact Us