Phase 1 – Penetration Testing
Phase 2 – Internal Security Audit
Phase 3 – Post Assessment Phase
Phase 4 – Recommendations & Training
Internal Security Audits follow a similar methodology to external testing, but provide a more complete view of the site security. Testing will be performed from a number of network access points (as agreed upon by the RoE, representing each logical and physical segment. As an example, our vulnerability assessment and management target list for a major Federal Agency includes firewalls, IDS, routers, switches, external penetration testing, war dialing, Oracle and SQL Server configuration testing, VoIP infrastructure assessment, mainframe assessment, Unix server farm assessment, Windows server assessment, wireless access point reviews, and external third‐party connection assessments.
Internal Security Audit will be conducted onsite over a period of We have adopted a hybrid approach combining two proven methods of testing: the NSA‐approved Information Evaluation Methodology (IEM) and the Open Source Security Testing Methodology (OSSTMM). The IEM was developed by analyzing processes implemented throughout the Evaluation community including the NSA, Government Agencies, and Industry. The IEM process involves many specific and repeatable stages.