Information Security Office
Security Assessment Description and Questionnaire
The Information Security Office offers many types of assessments to meet our customer’s needs. This document explains the process for requesting an assessment, describes the set of security assessment services that the Information Security Office (ISO) offers to members of the campus community and provides a questionnaire that is used to assist in understanding the target environment.
The ISO is not able to assess every possible platform or application. Nor is it possible for the ISO to meet every timeline requirement. In those cases, the ISO may contract with external partners to deliver the requested assessment service. There may be associated costs that will need to be passed along to the requesting organizational unit.
Process:
The Information Security Office has created a simple process around vulnerability assessments to provide clarity and consistency. The process is outlined below.
Security Assessment Services
In this section, you will find the description of the most common assessment scenarios. These can be customized in many ways to meet a customer’s needs. Each type of assessment takes varying amounts of time and is impacted by the number of targets (applications, servers, networks, etc.). The exact type of assessment should be determined in the “kickoff” meeting.
Penetration testing includes components of application vulnerability assessment, host vulnerability assessment, and security best practices. This type of test can be performed with or without detailed prior knowledge of the environment. When it is performed without prior knowledge additional steps will be taken to enumerate hosts and applications and to assess the ease with which any outsider could exploit publicly available information or social engineering to gain unauthorized access.
An attack and penetration test will answer questions like:
This would involve the ISO acting as an attacker and looking at the system as an outsider. The ISO would look for:
This is an assessment of the health and security of given workstation or server. Automated scanning tools (e.g. Nessus) are the primary vehicle for this type of assessment. Additional hands-on inspection may also be necessary to assess conformance to security best practice.
This assessment will answer questions like:
This would involve the ISO acting as a Sys Admin and auditing the system and applications looking for:
This is an assessment of the functionality and resilience of the compiled application to known threats. This assessment focuses on the compiled and installed elements of the entire system: how the application components are deployed, communicate or otherwise interact with both the user and server environments.
Application scanning tools as well as manual testing with and without application credentials are used to perform this assessment. Typically some host, network, and general information security practices are assessed as part an application vulnerability assessment.
This assessment will answer questions like:
This would involve the ISO auditing an application (typically web based) and looking for vulnerabilities like:
This would involve the Information Security Office auditing (or assisting in the coordination of an audit if the ISO is not trained to conduct the specific audit) systems for compliance with specific regulations:
CS 340 Milestone One Guidelines and Rubric Overview: For this assignment, you will implement the fundamental operations of create, read, update,
Retail Transaction Programming Project Project Requirements: Develop a program to emulate a purchase transaction at a retail store. This
7COM1028 Secure Systems Programming Referral Coursework: Secure
Create a GUI program that:Accepts the following from a user:Item NameItem QuantityItem PriceAllows the user to create a file to store the sales receip
CS 340 Final Project Guidelines and Rubric Overview The final project will encompass developing a web service using a software stack and impleme