-
Services
- Information Security Program (ISP)
-
Information Security Assessment Services (ISAS)
- Internal Security Assessment (ISA)
- External Vulnerability Assessment/Penetration Testing (EVA/PT)
- Physical Security Assessment (PSA)
- Remote Internal Vulnerability Assessment (R/IVA)
- Wireless Vulnerability Assessment (WVA)
- Branch Controls Assessment (BCA)
- Virtual Vulnerability Assessment (VVA)
- Website Penetration Testing Assessment (W/PTA)
- Mobile Device Management Assessment (MDM)
- Risk Management/Business Continuity Program
- CastleGarde NetAudit (CNA)
- Remote Social Engineering (RSE)
- Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Audit
- Website Compliance Assessment (WCA)
- Resources
- Company
Internal Vulnerability Assessment (IVA)
Internal Security Assessment (ISA)
Includes penetration testing
The purpose of an Internal Security Assessment (ISA) is to examine the effectiveness of the credit union's controls against a combination of financial industry best practices including: Gramm-Leach-Bliley (GLBA), Federal Financial Institution Examination Council (FFIEC), NIST, ISO, and PCI requirements as well as general good business sense. The six major security domains addressed during the scope of an ISA includes: User Security, Host Security, Physical Security, Network Security, Disaster Recovery, and Policies and Procedures. These domains are reviewed against industry best practices for internal network security.
Following the CastleGarde assessment methodology, an Internal Security Assessment is performed in four stages:
1
Information
gathering
2
Identification and
Testing
3
Evaluation and
Validation
4
Analysis and
Reporting
Internal Security Assessment Stages
1
Information gathering
Most of the initial information gathering will take place at your site.
2
Identification and Testing
During the identification and testing stage, CastleGarde will interview selected staff, review policy, and observe procedures. The end goal of this stage is to create a test bed to use in the resulting phases by identifying the critical information assets of the organization. Moreover, by interviewing key staff and through direct observation, CastleGarde will be able to determine the effectiveness of procedural controls in place to maintain the confidentiality, integrity, and availability of the critical information systems. This stage is most often thought of as the person-to-person stage.
Tasks in this stage include:
- Disaster recovery plan review (BCP)
- Network architecture review
- Network/Host administration procedural review
- Cloud-based services review
CastleGarde will perform manual probes of systems and run a number of security audit and assessment tools to evaluate the effectiveness of controls implemented and enforced by the systems themselves. In addition, if vulnerabilities in procedural controls or systems were exposed in the previous phase, they will be tested now.
Tasks that may be performed in this stage include:
- Firewall rule analysis
- Systems vulnerability testing
- Enterprise policy audit
- Password audit
3
Evaluation and Validation
During the evaluation and validation stage, the assessment team will validate the findings from the system testing and perform any relevant penetration tests.
4
Analysis and Reporting
The final phase of the internal assessment is conducted off-site. Utilizing the information gained in the previous three stages, the CastleGarde assessment team will perform a risk analysis to determine the organization’s risk profile. The ensuing report provides management with the tools needed to make accurate decisions with respect to the acceptance, avoidance, or assignment of risk.
Upon completion, a member of the CastleGarde assessment team will present the written report in a multimedia presentation of findings to the organization’s management team or Board of Directors. The report will include specific recommendations on mitigating or avoiding the exposed risks, along with an information security roadmap for implementing recommended changes.