The overall goal of the security assessment is for Cerzán to act as an independent and knowledgeable third party, to objectively observe the security of your organizations network. These observations can study all aspects of the company's security including:

• Documented policies and procedures
• Network topography
• Hardware, software and Network Operating Systems (NOS)
• Physical security of your organization's information and information systems.

The Security Assessment component will identify potential security vulnerabilities, based upon the objectives of your company and what you are trying to secure. Many organizations today are utilizing a Site Security Assessment service to proactively implement security controls. This becomes even more important as orginization are making Web enabled applications available over the Internet or allowing access to internal systems via Virtual Private Networks (VPN).

Should your organization engage in a Site Security Assessment, Cerzán will conduct an Assessment in the following manner:

• Review network diagrams, routers, firewall configurations and existing policies.
• Conduct onsite interviews, to gather information regarding the security of your organization's communications infrastructure, undocumented policies, and operational constraints.
• Provide an analysis and description of the security issues found during the assessment with, recommendations how your company can address the issues and perform corrective action.

Cerzán can conduct a Site Security Assessment in a broad manner to encompass all aspects of the IS Communications Infrastructure, or the Scope of Work can concentrate on single units of IS Communications Infrastructure. For example, Cerzán could conduct our Assessment regarding security across the WAN, Internet connection and Internet Appliances, or the Remote Access Server (RAS) environment.

A typical list of categories of observations will include, but be not limited to:

Internet ConnectionFirewall and/or external routerWeb, FTP, and Mail ServersApplication and production servers (Novell, UNIX, NT, RACF, Other)Physical security of computers, servers and facilitiesPassword protection and authentication Dial-in connectionsExisting, missing, or outdated written policiesDiagram of current and/or future network architectureSystem or server user privileges and file protectionsShared networks (intranets and extranets)

Cerzán will formulate our findings into a document (Security Assessment Report) that acts as the deliverable. Following, is a list of the sections typically included in a Security Assessment Report:

• Observations and Recommendations on your organization's information security, and recommendations regarding how to address the observations.
  
• Conclusions which point out the important security concerns regarding your network, and identifies the most important recommendations you should take to better secure the information and information systems.
  
• Appendices to include information that supports the findings of the security assessment. Information included might be a walkthrough report of the on-site assessment, output of tools to determine external visibility of the internal network, and printouts of configurations.

Presentation of Issues:
This presentation will be conducted at your site and typically includes personal from IS, Operations, Security Group and Executive Management.

Security concerns will be identified, considering the security impact on your operational environment. Detailed descriptions of the security concern - and recommendations of how to address each concern - is reported, and with a risk impact, cost of the problem(s) and possible solutions.

The report (Security Assessment Report) will be delivered as a bound hard copy, in addition to electronic format, that will be transferred to your organization in a secure fashion.

Privacy

Copyright 1995-2004