logo Hurry, Grab up to 30% discount on the entire course
Order Now logo

Ask This Question To Be Solved By Our ExpertsGet A+ Grade Solution Guaranteed

expert
Eusebio JayCriminology
(5/5)

722 Answers

Hire Me
expert
David AvitiaManagement
(5/5)

587 Answers

Hire Me
expert
Sam BingamanAccounting
(5/5)

545 Answers

Hire Me
expert
Ray BjorkCriminology
(5/5)

641 Answers

Hire Me
Computer Network

explains the process for requesting an assessment, describes the set of security assessment services that the Information Security Office (ISO) offers to members of the campus community

INSTRUCTIONS TO CANDIDATES
ANSWER ALL QUESTIONS

Information Security Office

Security Assessment Description and Questionnaire

The Information Security Office offers many types of assessments to meet our customer’s needs.  This document explains the process for requesting an assessment, describes the set of security assessment services that the Information Security Office (ISO) offers to members of the campus community and provides a questionnaire that is used to assist in understanding the target environment.  

 

The ISO is not able to assess every possible platform or application.  Nor is it possible for the ISO to meet every timeline requirement.  In those cases, the ISO may contract with external partners to deliver the requested assessment service.  There may be associated costs that will need to be passed along to the requesting organizational unit. 

Process:

The Information Security Office has created a simple process around vulnerability assessments to provide clarity and consistency. The process is outlined below.

 

  1. Contact the ISO (request assessment)
  2. The ISO accepts the project
  3. A questionnaire (later in this document) is completed by the customer
  4. A scoping/kick-off meeting is held
    • The goal of the meeting is to try to determine which type of assessment is appropriate, the scope of the assessment, a timeline and contact information.  The product of the meeting is a Statement of Work that will be agreed upon and signed by both parties.
  1. The assessment is scheduled (projected end date is noted as well)
  2. Assessment is performed during agreed upon times
    • The ISO and the customer will be in contact throughout the process.  Any findings that are deemed urgent (presenting an immediate security risk) would be communicated immediately to the customer.
  1. The assessment report is produced and reviewed by the ISO group
  2. The report is distributed to the customer and a review meeting is scheduled
  3. The wrap-up meeting is held where detailed findings are explained
  4. Both groups sign off on the results

 

Security Assessment Services

In this section, you will find the description of the most common assessment scenarios.  These can be customized in many ways to meet a customer’s needs.  Each type of assessment takes varying amounts of time and is impacted by the number of targets (applications, servers, networks, etc.).  The exact type of assessment should be determined in the “kickoff” meeting.

 

  • Network Based (Attack & Penetration)

Penetration testing includes components of application vulnerability assessment, host vulnerability assessment, and security best practices. This type of test can be performed with or without detailed prior knowledge of the environment.  When it is performed without prior knowledge additional steps will be taken to enumerate hosts and applications and to assess the ease with which any outsider could exploit publicly available information or social engineering to gain unauthorized access.

 

An attack and penetration test will answer questions like:

  • How vulnerable is the network, host, and application(s) to attacks from the internet or intranet?
  • Can an intruder obtain unauthorized access to critical resources?
  • Are social engineering techniques effective?
  • Are operational controls effective?

 

This would involve the ISO acting as an attacker and looking at the system as an outsider.  The ISO would look for:

  • Remotely exploitable vulnerabilities
  • Patch levels (OS and Apps)
  • Unnecessary services
  • Weakness of encryption
  • Weakness of authentication
  •  

 

  • Host Based

This is an assessment of the health and security of given workstation or server.  Automated scanning tools (e.g. Nessus) are the primary vehicle for this type of assessment.  Additional hands-on inspection may also be necessary to assess conformance to security best practice. 

 

This assessment will answer questions like:

  • Is patching up to date?
  • Are unnecessary services running?
  • Are anti-virus/anti-malware signatures up to date?

 

This would involve the ISO acting as a Sys Admin and auditing the system and applications looking for:

  • Locally exploitable vulnerabilities
  • Patch levels (OS and Apps)
  • Access rights
  • Security best practices
  •  

 

  • Application

This is an assessment of the functionality and resilience of the compiled application to known threats.  This assessment focuses on the compiled and installed elements of the entire system: how the application components are deployed, communicate or otherwise interact with both the user and server environments. 

 

Application scanning tools as well as manual testing with and without application credentials are used to perform this assessment. Typically some host, network, and general information security practices are assessed as part an application vulnerability assessment.

 

This assessment will answer questions like:

  • Does the application expose the underlying servers and software to attack
  • Can a malicious user access, modify, or destroy data or services within the system

 

This would involve the ISO auditing an application (typically web based) and looking for vulnerabilities like:

  • SQL Injection
  • Cross Site Scripting
  • Cross Site Request Forgery
  • Improper data sanitization
  • Buffer overflows (limited)
  • Mis-configured/weak authentication
  • Etc.

 

  • Compliance

This would involve the Information Security Office auditing (or assisting in the coordination of an audit if the ISO is not trained to conduct the specific audit) systems for compliance with specific regulations:

  • HIPAA
  • FERPA
  • GLBA
  • PCI

 

Related Questions

. The fundamental operations of create, read, update, and delete (CRUD) in either Python or Java

CS 340 Milestone One Guidelines and Rubric  Overview: For this assignment, you will implement the fundamental operations of create, read, update,

. Develop a program to emulate a purchase transaction at a retail store. This  program will have two classes, a LineItem class and a Transaction class

Retail Transaction Programming Project  Project Requirements:  Develop a program to emulate a purchase transaction at a retail store. This

. The following program contains five errors. Identify the errors and fix them

7COM1028   Secure Systems Programming   Referral Coursework: Secure

. Accepts the following from a user: Item Name Item Quantity Item Price Allows the user to create a file to store the sales receipt contents

Create a GUI program that:Accepts the following from a user:Item NameItem QuantityItem PriceAllows the user to create a file to store the sales receip

. The final project will encompass developing a web service using a software stack and implementing an industry-standard interface. Regardless of whether you choose to pursue application development goals as a pure developer or as a software engineer

CS 340 Final Project Guidelines and Rubric  Overview The final project will encompass developing a web service using a software stack and impleme