||A Security Assessment
is the process whereby Cerzán identifies security concerns
within the Information Systems (IS) Communications Infrastructure,
emphasizing the security impact on your organization's operating
The overall goal of the security assessment is for Cerzán
to act as an independent and knowledgeable third party, to
objectively observe the security of your organizations network.
These observations can study all aspects of the company's
- Documented policies and procedures
- Network topography
- Hardware, software and Network Operating Systems (NOS)
- Physical security of your organization's information
and information systems.
The Security Assessment component will identify potential
security vulnerabilities, based upon the objectives of your
company and what you are trying to secure. Many organizations
today are utilizing a Site Security Assessment service to
proactively implement security controls. This becomes even
more important as orginization are making Web enabled applications
available over the Internet or allowing access to internal
systems via Virtual Private Networks (VPN).
Should your organization engage in a Site Security Assessment,
Cerzán will conduct an Assessment in the following
- Review network diagrams, routers, firewall configurations
and existing policies.
- Conduct onsite interviews, to gather information regarding
the security of your organization's communications infrastructure,
undocumented policies, and operational constraints.
- Provide an analysis and description of the security issues
found during the assessment with, recommendations how your
company can address the issues and perform corrective action.
Cerzán can conduct a Site Security Assessment in a
broad manner to encompass all aspects of the IS Communications
Infrastructure, or the Scope of Work can concentrate on single
units of IS Communications Infrastructure. For example, Cerzán
could conduct our Assessment regarding security across the
WAN, Internet connection and Internet Appliances, or the Remote
Access Server (RAS) environment.
A typical list of categories of observations will
include, but be not limited to:
- Internet Connection
- Firewall and/or external router
- Web, FTP, and Mail Servers
- Application and production servers (Novell, UNIX,
NT, RACF, Other)
- Physical security of computers, servers and facilities
- Password protection and authentication
- Dial-in connections
- Existing, missing, or outdated written policies
- Diagram of current and/or future network architecture
- System or server user privileges and file protections
- Shared networks (intranets and extranets)
Internet ConnectionFirewall and/or external routerWeb, FTP,
and Mail ServersApplication and production servers (Novell,
UNIX, NT, RACF, Other)Physical security of computers, servers
and facilitiesPassword protection and authentication Dial-in
connectionsExisting, missing, or outdated written policiesDiagram
of current and/or future network architectureSystem or server
user privileges and file protectionsShared networks (intranets
Cerzán will formulate our findings into a document
(Security Assessment Report) that acts as the deliverable.
Following, is a list of the sections typically included in
a Security Assessment Report:
- Observations and Recommendations on your
organization's information security, and recommendations
regarding how to address the observations.
- Conclusions which point out the important
security concerns regarding your network, and identifies
the most important recommendations you should take to better
secure the information and information systems.
- Appendices to include information that
supports the findings of the security assessment. Information
included might be a walkthrough report of the on-site assessment,
output of tools to determine external visibility of the
internal network, and printouts of configurations.
Presentation of Issues:
This presentation will be conducted at your site and typically
includes personal from IS, Operations, Security Group and
Security concerns will be identified, considering the security
impact on your operational environment. Detailed descriptions
of the security concern - and recommendations of how to address
each concern - is reported, and with a risk impact, cost of
the problem(s) and possible solutions.
The report (Security Assessment Report) will be delivered
as a bound hard copy, in addition to electronic format, that
will be transferred to your organization in a secure fashion.