Laying the foundation for your assessment; The pre-assessment
visit; Determining the organization’s information criticality
system information criticality; The system security environment;
Understanding the technical assessment plan; Customer activities;
Managing the findings; Leaving no surprises; Final reporting; Tying
up loose ends
� Everything You Need to Know to Conduct a Security Audit of Your
Organization
� Step-by-Step Instructions for Implementing the National Security
Agency's Guidelines
� Special Case Studies Provide Examples in Healthcare, Education,
Infrastructure, and more
In 1998, the National Security Agency (NSA) Information Assurance
Methodology (IAM) was developed to meet the demand for information
security (INFOSEC) assessments-a demand that was increasing due to
Presidential Decision Directive 63 (PDD-63) while at the same time
NSA was downsizing. NSA sought a way to maximize its resources to
assist as many customers as possible and so they created a list of
organizations that could perform the same service as the NSA. NSA
quickly realized that this system would not only provide valuable
information to consumers-it would also provide a vehicle for
standardization of INFOSEC assessments.
Define What Composes an Assessment
Learn about the NSA’s three-phases: Assessment,
Evaluation, and Red teaming
Understand Industry Concerns for the Assessment Site
Review the items that affect your client: Health Insurance
Portability and Accounting Act of 1996 (HIPAA), Sarbanes-Oxley,
Financial Management and Accountability (FMA) Act, Family Education
Rights and Privacy Act (FERPA), and others.
Create the Organizational Information Criticality Matrix (OICM)
Create the OICM, which provides a basis for everything else in the
methodology and clarifies the intentions and goals of the
assessment process for the customer.
Handle Documentation Identification and Collection
Work with the client to gather and define documents such as policy,
guidelines, plans, SOPs, user documentation and see what happens
when no documentation exists.
Understand the Technical Assessment Plan (TAP)
Use the TAP to define all dates and scheduling, personnel
involvement, understood boundaries, deliverables, priority
concerns, and priority constraints.
Review the 18 NSA INFOSEC Baseline Classes and Categories
Use these 18 categories to address the customer’s security posture
and determine what questions should be asked during the interview
process.
Create a Recommendation Road Map
Provide the customer with a road map to the best way to address or
implement the corrective measures for negative findings.
Understand the Findings
Assess the overall risk to a customer by looking at the threats,
vulnerabilities, and asset value and analyze both negative and
positive findings to create a true picture of the customer’s
security posture.
Register for Your 1 Year Upgrade
The Syngress Solutions upgrade plan protects you from content
obsolescence and provides monthly mailings, whitepapers, and more!
Ask a Question About this Product More... |