Go
Cyber Security HomeSecurity AwarenessCyber Security For KidsPA-ISAC
Cyber Security
Security Awareness
Resources and Tips
Security Assessment Framework
Glossary
Cyber Security for Kids
Anti Virus
Best Practices
Events
Commonwealth Employees
Local Government
PA-CSIRT
Information Technology
 
Log In
Unsure who to contact? Have a question or issue?
OnGuard Online Videos  
Security Assessment Framework  

Security Assessment Methodology

A comprehensive security assessment methodology has been developed by the Chief Information Security Officer to assist agencies in evaluating their security policies and procedures and provides a method for agency officials to determine the current status of their security programs relative to existing policy and establish targets for improvement. This Framework may be used to assess the status of security controls for a given asset or collection of assets. These assets include information, individual systems (e.g., major applications, general support systems, mission critical systems), or a logically related grouping of systems that support operational programs, or the operational programs themselves. Assessing all asset security controls and all interconnected systems that the asset depends on produces a picture of both the security condition of an agency component and of the entire agency. The Security Assessment Methodology framework is as follows:

0. Baseline Security Best Practices Assessment

What

Review entity's security policies, procedures and documentation to determine security posture with respect to ISO 17799.  This assessment is based solely on review session(s) and documentation review.  No testing or technical reviews are performed.

How

  1. Complete baseline assessment checklist with agency contacts.
  2. Review requested information.
  3. Identify gaps and weaknesses.
  4. Issue general findings report.

Who

  1. Assessment team.
  2. Chief Security Officer / IT Security Manager.
  3. Chief Information Officer.

Requested Information

  1. Organizational roles and responsibilities;
  2. Risk management plans.
  3. Policies, procedures, standards, and guidelines relevant to ISO 17799;
  4. General network and system documentation;
  5. Continuity plans;
  6. Prior security assessment findings;

Time

Four hours to facilitate the completion of the general assessment checklist and eight hours to document results.

1. Security Policy & Organization Review

What

Review entity's security policies, procedures and organizational structure and assess against Commonwealth requirements and industry best practices.

How

  1. Develop request for information checklist.
  2. Review requested polices and procedures from entity contact.
  3. Conduct sessions to review entity's policies and procedures.
  4. Compare gathered policies and procedures to Commonwealth policies.
  5. Identify policy and procedure gaps and weaknesses.
  6. Issue technical report.

Who

  1. Assessment team.
  2. Chief Security Officer / IT Security Manager - personnel with knowledge of entities policies and procedures.

Requested Information

  1. Policies and procedures for security and information technology processes.
  2. Guidelines and standards.
  3. Organizational charts and roles and responsibilities documentation - IT and business including segments, departments, teams, boards of directors.
  4. IT governance structure.
  5. Segregation of duties strategy.

Time

Two hours for interviews, eight hours to review documentation and eight hours to document results.

2. Physical and Environmental Security Assessment

What

Review entities physical and environmental security controls.

How

  1. Develop request for information checklist.
  2. Review requested documentation from entity contact.
  3. Conduct walkthrough with person(s) responsible for managing physical and environmental security.
  4. Review documentation with key contacts.
  5. Conduct interview utilizing physical and environmental security assessment checklist.
  6. Identify gaps and weaknesses.
  7. Issue technical report.

Who

  1. Assessment team.
  2. Facilities management / physical security - personnel with knowledge of the physical security of information processing location and related policies and procedures.

Requested Information

  1. Facility plans and schematics.
  2. Listing of physical data center access and environmental controls.
  3. Physical and environmental related policies and procedures including access, guest access, new resource provisioning, termination procedures, access in the event of a disaster, etc.
  4. Emergency evacuation procedures.

Time

One hour for walkthrough, two hours to review assessment checklist and four hours to document results.

3. Internal Network Discovery & Vulnerability Scans

What

Review current network topology.  Conduct internal network scans utilizing a vulnerability assessment tool.

How

  1. Develop request for information checklist.
  2. Review requested documentation from entity contact.

Option 1 - Run scan from open area simulating an unauthorized user gaining access to the facility

  1. Notify appropriate personnel of activities.
  2. Load selected tool on laptop (system and network discovery, vulnerability scanning).
  3. Select representative subnets based upon criticality and random sample.
  4. Run system discovery tool.
  5. Select systems to scan based upon criticality and random sample.
  6. Run vulnerability scanning tool(s).
  7. Review scans, compare if using more than one tool
  8. Generate report.

Option 2 - Run scan from a typically configured, authorized desktop

  1. Notify appropriate personnel of activities.
  2. Procure authorized device.
  3. Load selected tool on device (system and network discovery, vulnerability scanning).
  4. Select representative subnets based upon criticality and random sample.
  5. Run system discovery tool.
  6. Select systems to scan based upon criticality and random sample.
  7. Run vulnerability scanning tool(s).
  8. Review scans, compare if using more than one tool
  9. Issue technical report.

Who

  1. Assessment team.
  2. Network manager - personnel to identify network subnets and physical connection points.
  3. System owners - personnel who can identify critical systems by subnet.

Requested Information

  1. Network documentation.
  2. System inventories by network segment including criticality.
  3. Results of security assessments.

Time

Depends on number of systems and subnets.  Average of four hours per well populated subnet scan and four hours to document results.

4. External Network Discovery & Vulnerability Scan

What

Review current network topology.  External network scans utilizing a vulnerability assessment tool.

How

  1. Develop request for information checklist.
  2. Review requested documentation from entity contact.
  3. Identify which subnet testing will originate from.
  4. Identify subnets and systems to scan and review with contacts.
  5. Schedule time to perform scans and coordinate availability of technical resources.
  6. Notify appropriate personnel of activities.
  7. Load selected tool on laptop (system and network discovery, vulnerability scanning).
  8. Select representative subnets.
  9. Run system discovery tool.
  10. Select systems to scan.
  11. Run vulnerability scanning tool(s).
  12. Review scans, compare if using more than one tool
  13. Issue technical report.

Who

  1. Assessment team.
  2. Network manager - personnel to identify network subnets and physical connection points.
  3. System owners - personnel who can identify critical systems by subnet.

Requested Information

  1. Network documentation.
  2. System inventories by network segment including criticality.
  3. Results of security assessments.

Time

Depends on number of systems and subnets.  Average of four hours per well populated subnet scan and four hours to document results.

5. Wireless Security Analysis

What

Evaluate wireless network deployments to discover unauthorized access points, mis-configurations and related security issues.

How

  1. Develop request for information checklist.
  2. Review requested documentation from entity contact.
  3. Conduct scan to discover available wireless networks (Option One - from within building, Option Two - from outside building).
  4. Compare results of scan to documentation received to identify unauthorized wireless networks.
  5. Attempt to connect to authorized wireless networks if applicable
  6. Document identified issues.
  7. Issue technical report.

Who

  1. Assessment team.
  2. Network manager - personnel to identify network subnets and physical connection points.
  3. System owners - personnel who can identify critical systems by subnet.

Requested Information

  1. Wireless network documentation.
  2. System inventories by network segment including criticality.
  3. Results of security assessments.

Time

One hour for testing if any wireless networks are found and two hours to document results.

6. Account Management Procedure Analysis

What

Analyze default account settings, administrative rights, delegation practices, user provisioning and termination procedures.

How

  1. Develop request for information checklist.
  2. Review policies and procedures related to user accounts and their management.
  3. Conduct sessions to review entity's policies and procedures.
  4. Review local system users.
  5. Review delegation and administrative users and privileges.
  6. Compare gathered policies and procedures to implementation specifications.
  7. Identify user management gaps and weaknesses.
  8. Issue technical report.

Who

  1. Assessment team.
  2. Network/system manager - personnel responsible for user management and provisioning processes.

Requested Information

  1. Account management policies and procedures.
  2. User provisioning and termination procedures.
  3. System security policies.
  4. System user, groups and permissions lists.

Time

Eight hours to review procedures and to conduct some level of hands on review and four hours to document results.

7. Server and Workstation Configuration Review

What

Hands-on server and workstation configuration analysis.

How

  1. Develop request for information checklist.
  2. Review policies and procedures related to desktop and server provisioning, patch management, anti-virus, user provisioning, documentation management, etc.
  3. Review deployment methods for desktop and server provisioning.
  4. Select representative desktops and servers to review based upon criticality and random sample.
  5. Review build checklists.
  6. Review patching, antivirus and hardening procedures.
  7. Review local users and security policy.
  8. Review application/code promotion controls
  9. Review change control procedures.
  10. Review remote administration methods and procedures.
  11. Review backup and recovery methods.
  12. Identify gaps and weaknesses.
  13. Issue technical report.

Who

  1. Assessment team.
  2. Server administrator - personnel responsible for server configuration and management.
  3. Desktop administrator - personnel responsible for desktop configuration and management.

Requested Information

  1. System documentation.
  2. Server and workstation build documentation.
  3. Change management policies and procedures.
  4. Configuration management policies and procedures.
  5. Patch management policies and procedures.

Time

Expect two hours per system for hands-on assessments, eight hours for review of policies, procedures, build checklists, and related system documentation and four hours to document results hands on assessments per system.

8. Security Infrastructure Analysis

What

Review security infrastructure such as firewalls, routers, switches, VLANs, anti-virus, intrusion detection/prevention systems, authentication services, remote access servers, key management systems.

How

  1. Develop request for information checklist.
  2. Review policies, procedures and technical documentation related to security infrastructure.
  3. Conduct hands on review of configurations based upon criticality and random sampling.
  4. Identify gaps and weaknesses.
  5. Issue technical report.

Who

  1. Assessment team.
  2. Security administrators - personnel responsible for implementation, configuration and administration of the security infrastructure.

Requested Information

  1. Security infrastructure documentation.
  2. Security infrastructure related policies and procedures.

Time

One hour for walkthrough, four hours to review procedures, one hour per security infrastructure component, and eight hours to document results.

9. Continuity Plan Review

What

Review continuity plans and procedures including business continuity, disaster recovery and backup and recovery plans.

How

  1. Develop request for information checklist.
  2. Review requested continuity plans from entity contact.
  3. Conduct session to review continuity plans with continuity planner.
  4. Review business impact assessment and business risk assessments.
  5. Review critical system selection and prioritization.
  6. Analyze continuity planning test results.
  7. Identify critical systems not included or weaknesses in current plans.
  8. Issue technical report.

Who

  1. Assessment team.
  2. Business continuity manager - personnel responsible for continuity planning.

Requested Information

  1. Business impact/risk assessments.
  2. Business continuity plans.
  3. Disaster recovery plans.
  4. Backup and recovery plan.

Time

Four hours to review continuity related documentation, two hours to conduct review session and four hours to document results.

10. Human Resources Review

What

Review employee processes including hiring and termination.

How

  1. Develop request for information checklist.
  2. Review requested information from entity contact.
  3. Conduct session to review human resources documentation.
  4. Test new hire and termination procedures.
  5. Issue technical report.

Who

  1. Assessment team.
  2. Human resources.

Requested Information

Human resources related policies and procedures.

Time

Four hours to review documentation, two hours to conduct review session and eight hours to document results.

11. Security Awareness and Training Programs Assessment

What

Review current employment and security related awareness and training programs.

How

  1. Develop request for information checklist.
  2. Review requested information from entity contact.
  3. Conduct session to review training and awareness program documentation.
  4. Review awareness and security training plans, attendance logs and supporting documentation.
  5. Issue technical report.

Who

  1. Assessment team.
  2. Training coordinator.

Requested Information

  1. Training needs assessment results.
  2. Course curriculum for new hires.
  3. Training and communication plans.

Time

Four hours to review documentation, two hours to conduct review session and eight hours to document results.

General Assessment

  1. NIST ASSET - http://csrc.nist.gov/asset/asset_download.html
  2. NIST IT Security Practices & Checklists - http://csrc.nist.gov/pcig/cig.html
  3. CERT OCTAVE - http://www.cert.org/octave/
  4. NIST SP800-53 - Recommended Security Controls - http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf
  5. NIST SP800-26 - Guide for Information Security Program Assessments - http://csrc.nist.gov/publications/drafts/Draft-sp800-26Rev1.pdf
  6. NIST SP800-26 Questionnaire - http://csrc.nist.gov/publications/nistpubs/800-26/Mapping-of-800-53v1.doc
  7. ASIS Guidelines - http://www.asisonline.org/guidelines/guidelines.htm
  8. Center for Internet Security Benchmarks - http://www.cisecurity.org/
  9. NIST SP800-42 Guideline on Network Security Testing - http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf
  10. World Bank Technology Risk Checklist - http://www.infragard.net/library/pdfs/technologyrisklist.pdf

Security Policy Review

1.       ISO 27002 Description (Renamed ISO 17799) - http://en.wikipedia.org/wiki/ISO_17799

2.       ISO 27002 Introduction (Renamed ISO 17799) - http://www.27000.org/iso-27002.htm

3.       ISO 27002 Purchase/Download (Renamed  ISO 17799) - http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=50297

4.       Information Security Policy World - http://www.information-security-policies-and-standards.com/

5.       SANS Security Policy Samples - http://www.sans.org/resources/policies/#name

Physical and Environmental Security Assessment

  1. GAO - Technologies to Secure Federal Buildings - http://www.gao.gov/new.items/d04467.pdf

Internal Vulnerability Scans & Penetration Testing

  1. Microsoft Baseline Security Analyzer - http://www.microsoft.com/technet/security/tools/mbsahome.mspx
  2. NMAP - http://www.insecure.org/nmap/
  3. Foundstone SuperScan - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/scanning.htm
  4. NBTScan - http://www.inetcat.org/software/nbtscan.html
  5. DumpSec - http://www.somarsoft.com/
  6. Enum - http://www.bindview.com/services/razor/utilities/ 

External Vulnerability Scans / Penetration Testing

  1. Open Source Security Testing Methodology Manual - http://www.isecom.org/osstmm/
  2. Microsoft IT Attack and Penetration Testing Team - http://www.microsoft.com/technet/itsolutions/msit/security/attackandpenetest.mspx
  3. Penetration Testing for Web Applications (Part 1) - http://www.securityfocus.com/infocus/1704
  4. Penetration Testing for Web Applications (Part 2) - http://www.securityfocus.com/infocus/1709
  5. Penetration Testing for Web Applications (Part 3) - http://www.securityfocus.com/infocus/1821
  6. Penetration Testing Guide - http://www.penetration-testing.com/
  7. SANS - Introduction to Becoming a Penetration Tester - http://www.sans.org/rr/whitepapers/testing/266.php

Wireless Security Analysis

  1. Wireless LAN Security Assessment Steps - http://www.wi-fiplanet.com/tutorials/article.php/1545731
  2. NIST SP800-48 - Wireless Network Security - http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf

Server and Workstation Configuration Analysis

  1. National Security Agency (NSA) Windows Security Recommendations Guides – http://www.nsa.gov/snac/downloads_all.cfm
  2. Microsoft Windows 2000 Security Hardening Guide - http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3sec04.mspx
  3. Microsoft Windows Server 2003 Security Guide - http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx
  4. Microsoft IIS Security Page - http://www.microsoft.com/technet/security/prodtech/IIs.mspx
  5. Microsoft Secure IIS Checklist - http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/tips/iis5chk.mspx 
  6. Microsoft SQL Server 2000 Auditing - http://www.microsoft.com/technet/security/prodtech/sqlserver/sql2kaud.mspx
  7. Microsoft Securing SQL 2000 Resource Guide - http://www.microsoft.com/technet/archive/security/chklist/sql2ksrg.mspx
  8. Microsoft Securing SQL 2000 SP3 Security Best Practices Checklist - http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3sec04.mspx

Network/Account Management Procedure Analysis

  1. Microsoft Best Practice Guide for Securing Windows Server Active Directory Installations - http://www.microsoft.com/windowsserver2003/techinfo/overview/adsecurity.mspx

Security Infrastructure Analysis

  1. National Security Agency (NSA) Router and Switch Security Configuration Guides - http://www.nsa.gov/snac/downloads_all.cfm

Business Continuity Plan Review and Development

  1. NIST SP800-34 Contingency Planning Guide for Information Technology Systems - http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf
  2. NIST SP800-30 Risk Management Guide for Information Technology Systems - http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
  3. Availability.com - http://www.availability.com/

To download the complete CISO Security Assessment Toolkit (840K zip file) or print/save a word version of the document, see links below.

For additional information or assistance, please contact ra-ciso@state.pa.us.


Attached Files:

 CISOToolkit_v1.zip
 SecureMethod.doc