Assessment Services
Vulnerability Assessment (External and Internal)
Often referred to as Penetration Testing, infotex scans your network perimeter against all known vulnerabilities. We perform these scans “blindly,” meaning that we don’t have any information about your network. The goal is to find, analyze, and confirm ALL vulnerabilities, resulting in a risk-based project plan for mitigation.
To scan your internal network, we install a device on your internal switch (after the blind scanning is finished, of course). This device, called the mole, builds a VPN back to our Network Operations Center which then allows us to scan your internal network remotely. Because scanning can be intrusive, we remotely scan your network in off-hours.
GLBA Compliance Testing (IT Audits, IT Governance Reviews)
In this approach, we interview your management team and several other persons in your organization. We solicit documentation of policies and procedures and then run all submitted information against checklists that we have developed based on the FFIEC guidelines. We then deliver a report with detailed deficiencies noted in policies and procedures as well as suggested remediation. The report includes an executive summary as well as a detailed “policy gap matrix” that applies a risk analysis on each deficiency and establishes metrics that can be used over time to measure remediation (and inherent risk). infotex can target a policy gap analysis to specific policies or program, such as Acceptable Use Policies or Vendor Management and/or Incident Response Programs.
Internet Banking Controls Review
infotex will perform an IT security review of your Internet banking controls. The review will address the most recent guidances on Internet banking issued by regulators.
Physical Security and Environmental Controls Review
We will review your physical security and environmental controls of key security zones, including, but not limited to your headquarters facility, Data Center, and branch offices. infotex will also review your procedures regarding physical security and environmental controls in accordance with regulatory requirements.
Business Continuity Plan Testing
We help your Business Continuity Team implement walk-throughs, table-top tests, or full functional testing. infotex will help design the test objectives and the test plan, and document the results as well as the post-mortem analysis all within FFIEC guidelines.
Network Configuration Audit
infotex will perform an assessment of your current network configuration including client and server applications and IT practices based on comparison to vendor and industry published best practices. We use Microsoft Baseline Security Analyzer for Microsoft devices and review vendor documentation for AVS, Spyware Defense, Firewalls, etc.
Web Application Security Reviews
We perform our Web Application Security Review using a phased approach. Not only does infotex look at technical controls, but also non-technical controls (SDLC, Change Management, Documentation) that your organization has in place. We test control processes, user interfaces, encryption, authentication, and infrastructure, and of course we perform extensive source code reviews. We can conduct a full audit, black-box review, or a risk-based audit (using OWASP's Top 10 as a framework).
Risk Assessment
We will help you develop a customized program for managing GLBA risk, as per FFIEC requirements. infotex will leverage existing processes to provide an effective method of abbreviating and sharing critical risk and control information among business process owners. The deliverables will include appropriate policies, detailed procedures, customized risk assessment tables, metrics, compilation methods, training, and process documentation. The program will cost-effectively identify, measure, and manage risk arising from information. A filtering process will be created to notify business process owners of relevant risk and controls in other business processes, resulting in a reduction of redundant mitigating controls, and an alignment of information security practices with IT Governance and overall Business Strategy. Depending on your examiner's preference, our approach can be asset-based or threat-based.
Social Engineering
- Password File
Analysis: The password file (SAM) will be audited for crackable
passwords. We report the passwords that have been compromised, the time
it takes to crack the password. The report provides a picture of the
strength of passwords in place, and is very useful in your information
security awareness program.
- Physical Breach Tests - To test physical access controls and related incident detection and response, testers will attempt to passively breach physical controls, if they exist, and gain access to the network from the inside. We will pose as a member of your network support team, as a telephone repair person, etc. The report describes the attempt at each location and the response, a summary report showing the percent of penetration, and recommendations.
- Phishing Expedition - This
test incorporates the use of e-mail to test the employees' security
awareness posture. Our report summarizes percent penetration, shows
print-screens of the e-mail and phishing site with annotations pointing out
what should have forewarned the user that this was not a legitimate e-mail
and/or web site. We also provide the user names and passwords for all users
who failed the test. This summary, along with the print screens, are very
useful in your information security awareness program.
- Pretext Calling - This testing may include any or all of the following activities: masquerading as a potential or current customer, masquerading as a vendor, and/or various other methods via the telephone intended to test the company’s security as deemed necessary by infotex representatives.
Other Tests
We provide other IT Audit services ranging from war dialing, war driving, and dumpster diving.
Let infotex help your organization
with your Assessment / Audit Service needs!
Data Sheet of Assessment / Audit Services (PDF)
Infotex Portal Articles
