IT infrastructure security design review starts from penetration testing and interview sessions with appropriate staff. This provides with a basic familiarity of organization's methods, structure, overall network components, and the network / security structure in place. Further studies will be conducted to identify:
Information security policies, procedures and practices to determine if they address:
- The key factors affecting security and compliance;
- Enable effective compliance, implementation and enforcement;
- Reference or conform to established standards;
- Provide clear and comprehensive guidance;
- Define and communicate roles, responsibilities, authorities, and accountabilities for all
individuals and organizations that interface with critical systems.
Configuration - server/network infrastructure.
The knowledge-base of best practices will be utilized to define where systems deviate from this desired result and organize systems into high, medium, and low value. This definition will serve as a basis to organize all findings into high, medium, and low risk. A high risk in a low value system must be differentiated from a high risk in a high value system. This further refinement will assist client organization in assigning priorities to remediation efforts.