Information Security Technology Risk Assessment Services
CastleGarde’s methodology focuses on providing a full Information Security Risk Assessment. Our experience has shown this to be the most effective and thorough approach for our clients. The key components of our approach include Internal Vulnerability Assessment (IVA), External Vulnerability Assessment (EVA) and Physical Security Assessment (PSA). Each approach will be described in the following section.
Information Security Risk Assessment Process
Internal Vulnerability Assessment (IVA)
The purpose of an Internal Vulnerability Assessment (IVA) is to examine the effectiveness of the credit union's controls against a combination of financial industry best practices including: Gramm-Leach-Bliley (GLBA), Federal Financial Institution Examination Council (FFIEC), NIST, ISO, and PCI requirements as well as general good business sense. The six major security domains addressed during the scope of an IVA includes: User Security, Host Security, Physical Security, Network Security, Disaster Recovery, and Policies and Procedures. These domains are reviewed against industry best practices for internal network security.
External Vulnerability Assessment (EVA)
The purpose of an External Vulnerability Assessment (EVA), as required by NCUA, is to simulate a targeted attack and to identify potential vulnerabilities that could be exploited on those devices that are publicly available on the Internet. Vulnerabilities that may be exploited may involve system configurations, system applications, web/e-mail server services, and remote or administrative access.
Physical Security Assessment (PSA)
The Physical Security Assessment (PSA) is performed onsite in conjunction with the Internal Vulnerability Assessment (IVA). It consists of an inspection and analysis of external and internal physical controls. Areas under review include: administrative controls, contract services (couriers, janitorial services, etc.), windows, doors, roof access, access controls, alarm systems, surveillance systems, data centers, record rooms/vaults, media storage and destruction, and emergency preparedness and readiness. The assessment also includes information gathering from credit union’s website and other publicly available sites to assist in social engineering and covert testing exercises. The Assessment is geared towards the ability of an attacker to gain unauthorized access into the facility and discover potentially unsecured Sensitive Member Information (SMI) as defined by NCUA.