• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 512
  • Last Modified:

Security Assessments

Experts,

I wonder if you could provide a basic overview on what types of security assessment, audits etc you perform on your IT infrastrucuture, and how often you perform it, i.e. assess your firewall every quarter, your physical security every 6 months, your IDS 6 monthly etc etc.

We have come up with some plans to fit in security assessments of certain components of our IT infrastructure and security, to be performed by an external vendor but would just like to compare the plans to your setup.

Any pointers most welcome, and timelines on how often you assess certain parts of your IT setup, infrastructure and key systems would be most appreciated.

Regards
0
pma111
Asked:
pma111
  • 5
  • 4
2 Solutions
 
Kamran ArshadIT AssociateCommented:
Hi,

You need to place the IT Security Policy which includes assessment as well. There are many security policy templates available on Internet. A few are as below;

www.sans.org/resources/policies/ 
www.ruskwig.com/security_policies.htm
www.dir.state.tx.us/security/policies/templates.htm
www2.wlv.ac.uk/its/everyone/projects_and_policies/info_security_policy.pdf
www.altiusit.com/policies.htm
0
 
pma111Author Commented:
Hi uetian1707:

We do have a policy in place, it was more just to get a flavour of how accurate our policy was in terms of the assessment, and how others assess which parts of their IT infrastrucuture and how often.

Regards
0
 
ahoffmannCommented:
do you have web servers also in your IT infrastructure?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
pma111Author Commented:
Hi ahoffman, yes we do...
0
 
ahoffmannCommented:
should your web applications be part off the assessment?
0
 
pma111Author Commented:
Anything really specific to IT infrastructure, major web based apps (Oracle etc)... Just wanted to see other peoples IT assessment schedules as a point of reference more than anything
0
 
ahoffmannCommented:
web based assessments are very different to traditional network security tests.
There're not much tools for that, most tests need to be done manually from experienced people.
If someone offers security testing including web apps, and then hands over a beautified nessus or nmap report, you could be sure that it's not worth reading it (except for your amusement:).

Just my 2 pence about pen testing web apps.
0
 
pma111Author Commented:
Thanks ahoffman, thanks for the tip..

I would be interesting to hear how often and what parts of your network (outside the web apps) do your company by someone in to test, i.e. every 6months?
0
 
ahoffmannCommented:
I'm not used to network test (beside web apps are involved), hence cannot give valuable information, sorry.

For the network itself, a tests every 6 month and/or when the network or its components chage should be more than sufficient, IMHO.
0
 
pma111Author Commented:
Thanks for the pointers ahoffman
0

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now