Online Information Security AssessmentsThe Online Security Assessments feature is designed for independent audit by Redhawk for regulatory compliance. It may also be used for self audit and is great for PCI compliance use. Areas addressed are: IT Controls, Internal Network, External Network, Social Engineering, Wireless and Telephony assessment and includes the details below:
- Administrative and Physical Control Objectives
- Information Systems Strategy, Planning and Personnel
- Relationship with Outsourced Vendors
- Business Continuity Planning
- Information Systems Operations
- Network Support & Security
- Hardware & Operating System Support
- Application Development and Maintenance
- Information Systems Security
- Organization Controls
Technical Control Objective - Security of the Network from External Attack
Tests of the external control objectives are performed to identify vulnerabilities associated with Internet connectivity and the external network. Testing includes evaluation of security in the following areas:
- Internet Design and Services
- Internet Border Devices
- IPS (Intrusion Prevention System)
- Firewall
- Remote Access
- Internet Servers
Technical Control Objective - Security of the Network from Internal Attack
The review of the internal control objectives includes vulnerability scanning and evaluation of security in the following areas:
- Network Design
- Wide Area Network
- Local Area Network
- Internal Servers and Printers
- Wireless
- Modems
- Vendor and Partner Connectivity
- Logging and Network Time
- Data in Transit and Portable Devices
Audit
ISO / IEC 27001 provides the foundation for third party audit. The objective of the standard is to help establish and maintain an effective information management system within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of organizations.
Risk Definitions and Actions
The Redhawk Risk Methodology is based on the National Institute of Standards and Technology - NIST Special Publication 800-30 and includes the following definitions:
High - Controls to prevent vulnerability from being compromised are ineffective in mitigating a threat-source. There is a strong need for corrective measures and an action plan must be put in place as soon as possible.
Medium - Controls are in place that may impede exploitation of a vulnerability from a threat-source. Corrective actions are needed and a plan must be developed in a reasonable period of time.
Low - Controls are in place to prevent, or at least significantly impede, vulnerability from being exercised by a threat-source. The system’s administrator must determine whether corrective actions are required or decide to accept the risk.
Compliant - Controls are in place to prevent a vulnerability from being exploited by all levels of threat sources. Risk is mitigated.
| 
)