|
A comprehensive risk assessment is the
cornerstone of any successful information security program, and a
requirement of GLBA, HIPAA, and other information security regulations.
A comprehensive risk assessment consists of a critical asset inventory
and a vulnerability analysis of your critical assets.
NMI combines its RAPID
and RSK technologies to provide a comprehensive
suite of risk assessment services that are cost-effective, accessible
to audiences from board members to implementors, and support the RAPID principle of continuous validation and
continuous adaptation.
The NMI Difference
- RSK risk measurement
technology
- Expert manual research that identifies 20-50%
more critical vulnerabilities
- A modular approach that lets you control the
scope and intensity of your risk assessment
- Superior deliverables that are accessible to
all audiences
Vulnerability
Scan
NMI conducts intelligence gathering (discovery) operations against your
critical information resources, performs an automated scan of those
resources, and uses the results of the discovery and the automated scan
to perform expert research on additional vulnerabilities not detected
by the automated tools. A vulnerability scan identifies possible
vulnerabilities but does not prove their existence. Results are
reported using RSK to measure risk associated
with identified vulnerabilities.
Differential
Vulnerability Scan
NMI performs an automated vulnerability scan using previous vulnerability scan, penetration test,
or differential vulnerability scan data as a baseline. A differential
vulnerability scan identifies changes since the previous test and uses RSK to measure improved or degraded security.
Penetration
Test
NMI performs a vulnerability scan and uses any
vulnerabilities identified to compromise the confidentiality of your
information system. The penetration test not only proves the existence
and "exploitability" of specific vulnerabilities, but it usually
identifies many vulnerabilities that would not otherwise be detected.
As in the case of the vulnerability scan, results include RSK measurements of risk associated with
identified vulnerabilities.
Phone Scan
NMI will identify telephone accessible resources belonging to your
organization including modems and PBX systems. At your discretion, NMI
may simply enumerate these systems by performing "war dialing," or may
perform vulnerability scans or penetration
tests again them.
Wireless
Scan
NMI will identify wireless networks and devices operating within your
organization, including 802.11, 802.11b, 802.11g, and Bluetooth
networks and devices. At your discretion, NMI may simply map these
networks and devices by performing "war driving," or may perform vulnerability scans or penetration tests
against them.
Social
Engineering
NMI uses remote and on location covert research and subversive access
attempts to test the strength of your organization's policies, training
of staff, and technical controls. The social engineering test allows
NMI to identify failures in best practice that could allow an attacker
to extract valuable information from an unsuspecting or uninformed
employee. Social engineering phases include:
- Research. Investigation of the target
institution through trade publications, public websites, mailing lists,
off-hours phone system access and other attempts to identify targets
for exploitation.
- Exploitation. Contact with social
engineering targets, via phone, e-mail, or in person, to attempt to
extract confidential and proprietary information such as passwords,
account names, network topology information, security procedures,
customer information, and other data prohibited for release by policy.
Configuration
Analysis
NMI analyzes the actual configuration of your information system as a
trusted insider. The configuration analysis can be performed
independently or as a complement to a vulnerability scan
or penetration test The configuration analysis
identifies problems that are not apparent from external testing, and is
the only way to categorically disprove the existence of certain
vulnerabilities. Results include RSK
measurements to quantify risk to the systems under review.
Information
Technology Review
The ITR is a configuration analysis for the IT infrastructure. NMI
identifies network design errors including poor and questionable
practices, and performs a configuration analysis on key systems. This
results in a set of recommendations that aim to strengthen controls in
the IT infrastructure.
Application
Analysis
NMI's extensive software engineering
expertise combined with information security skills allows NMI to
analyze your web-accessible and other applications for significant
security flaws. NMI will look for parameter and boundary checking
errors, excessive privileges, SQL and HTML injection, cross-site
scripting, and other problems in the executable code that is available
to any user of your application.
When a more detailed review of the underpinnings
of the application is required, NMI will analyze the source code of any
application written in one or more of the languages supported by NMI's software engineering services for security
flaws. NMI will look for parameter and boundary checking errors,
excessive privileges, SQL and HTML injection, cross-site scripting, and
other problems in the source code of your application.
Risk
Assessment
NMI identifies critical information resources by developing a critical asset inventory, identifies risks to those
resources and prioritizes risks according to impact and likelihood by
performing a threat and vulnerability assessment,
and recommends remedial actions and controls.
Critical
Asset Inventory
NMI will identify your critical information assets, prioritize those
assets according to their value and according to the results of the
vulnerability assessment. This deliverable will provide a risk matrix
of assets, threats, likelihoods, and exposures, as well as a
comprehensive plan of action for reducing information security risk.
Threat and
Vulnerability Assessment
NMI identifies threats to your organization's critical information
assets, such as criminal acts, natural disasters, acts of war, and
control failures. Each threat is reviewed to determine the likelihood
that it will be realized by evaluating actual vulnerabilities in your
organization's operations. This evaluation uses input from assessment
activities such as vulnerability scans, penetration tests, configuration analysis,
security program review, and security awareness review to determine the likelihood
that a threat will be realized. The threat and vulnerability assessment
also acts as input to the risk assessment process.
Security
Program Review
NMI reviews your existing information security policies, practices,
guidelines, baselines, and procedures, organizes them into a security
program document (SPD), and provides a gap analysis (SPGA) that
identifies areas where your security program does not measure up to
best practices and legal and regulatory requirements for your industry
(SPGA benchmarks include GLBA, HIPAA, COBIT, Common Criteria (ISO
15048), RFC 2196, ISO 17799, and others). The security program review
is a key component of the RAPID information
security deployment process.
Security
Awareness Review
NMI interviews key personnel within your organization (from Board
members to line employees) to determine overall security awareness as
well as divergent practices (areas where actual practices are not
aligned with your written information security program). The security
awareness review is used during the RAPID
process to evaluate actual employee practices and understanding of your
organization's policies.
For more information, please contact NMI.
RAPID and RSK are trademarks of
NMI LLC. |
