Link to home
Start Free TrialLog in
Avatar of Pau Lo
Pau Lo

asked on

web site setup and risk assessment

I am trying to put together some pertinent questions in regards to our corporate website, in terms of technology, hosting, support, roles & responsibilities etc. This is to assist in an independent review of the website by a 3rd party from both accessibility, performance, security etc. Can you suggest some relevant 'fact finding' questions that if you needed to understand the setup of a website, and its hosting, and all the various technology components used to develop and maintain the site. It is not something I have ever had responsibility for, so having some queries in order to get a better understanding would be most useful.
ASKER CERTIFIED SOLUTION
Avatar of Dr. Klahn
Dr. Klahn
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of btan
btan
though it is on security testing but the pre-engagement qns would add on to the list that you can considered.
http://www.pentest-standard.org/index.php/Pre-engagement#General_Questions
7.1 Network Penetration Test
7.2 Web Application Penetration Test
7.3 Wireless Network Penetration Test
7.4 Physical Penetration Test
7.5 Social Engineering
7.6 Questions for Business Unit Managers
7.7 Questions for Systems Administrators
May also want to check out guideline for securing web server - short of it is how tdo the web server is hardened and stay healthy - https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2.pdf

Other areas would be the governance, regulatory and compliance regime enforced. It can be the organisation driven policy and people competency managing the infrastructure hosting the setup. It would likely revolves around exploring the characteristics of a cloud ecosystem include:

• Broad network access,
• Decreased visibility and control by cloud Consumers,
• Dynamic system boundaries and comingled roles/responsibilities between the cloud Consumer and cloud Provider,
• Multi-tenancy,
• Data residency,
• Measured service, and
• Significant increase in scale (on demand), dynamics (elasticity, cost optimization), and complexity (automation, virtualization).
Ultimately, as a cloud consumer adopting a cloud-based solution you likely to follow below steps and these are areas to generate qns:

1. Describe the service or application for which a cloud-based solution may be leveraged;
2. Identify all functional capabilities that must be implemented for this service;
3. Identify the security and privacy requirements and the security controls needed to secure the service or application. ,
4. Analyze and select the most appropriate cloud Ecosystem architecture, by combining a cloud deployment model (public, private, hybrid, community) and cloud service model (IaaS, PaaS, SaaS):
5. Identify and select the cloud Actors involved in orchestrating the cloud Ecosystem (e.g., Provider(s) and/or Broker(s));
6. Understand the cloud Provider(s)’ and Broker(s)’ security posture and inherited security and privacy controls. Tailor the security and privacy controls to fulfill the security and privacy requirements for the particular use case or identify additional compensating security controls, when necessary;
7. Assign specific values to organization-defined security parameters via explicit assignment and selection statements;
8. Supplement baselines with additional security and privacy control enhancements, if needed; and
9. Provide additional specification information for the implementation of security and privacy controls.
Managing Cloud  risk - https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=919234
SOLUTION
Avatar of Scott Fell
Scott Fell
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of lenamtl
lenamtl
Flag of Canada image
Physical security need to be considered too, who can physically access the server room, is there any fire protection, surge protection....
You will like to know this especially if you are renting a dedicated server.
Avatar of Scott Fell
Scott Fell
Flag of United States of America image
I think it is safe to say you don't want to host a website on your own. Then if you use any reputable hosting service or cloud host like Azure or AWS, physical access is going to be a non-issue.  Azure for instance is secure enough to be HIPAA (as is O365) https://www.microsoft.com/en-us/TrustCenter/Compliance/HIPAA and you can check on any of the traditional hosts sites for this type of information as well https://www.liquidweb.com/about-us/data-centers/