Assessments are a way to increase information security for your organization. Assessments are done in cooperation with the system owners and are helpful in making the system owners aware of information security issues that may exist with their assets. The assessment methodology you will learn and understand is a six step process.
The 1st step you will learn is: Assessment Planning
This includes initial research of your organizations policies and procedures, applicable laws, and information security best practices. Then you will learn how to develop scope document, which will then be signed by the system owner. MBM Consulting will then train your organization on how to develop an assessment strategy--the what and how-- from this your organization will be able to create an effective assessment checklist.
The 2nd step you will learn is: Entrance Conference
In the entrance conference management, system owner(s), system administrator(s), and information security assessment team should be in attendance. The scope document will be covered at this meeting as well as the assessment process, assessment roles, and the time frame for the assessment. MBM will train your organization in completing all of these taskings.
The 3rd step you will learn is: Fieldwork
MBM will deliver an understanding of the Fieldwork, which is done in a systematic manner according to the previously developed checklist. The information security team will be trained on how to report new issues in a timely and professional manner to the system owner/administrator as defined in the scope document. The information security team will be trained on how to document all security issues and includes them in the assessment report delivered at the end of the assessment.
The 4th step you will be trained to understand is: Preparing the Report
The Assessment Report will include
Executive Summary
Describe the purpose of the assessment.
Describe the scope of the assessment.
Findings and recommendations
Conclusion
MBM will provide templates to assist your organization in drafting the assessment report, which should be reviewed and commented on by the system owner/administrator prior to the exit conference.
The 5th step you will be trained to understand is: Exit Conference
Management, system owner(s), system administrator(s), and the information security assessment team should attend the exit conference. The conference will accomplish
Review report
Assign tasks for remediation/mitigation
Establish schedule for future assessments
The 6th step you will be trained to understand: Report to Management
The report to management will include a presentation of the executive summary and the status of mitigation/remediation efforts followed by discussion and/or questions.
