CastleGarde’s methodology focuses on providing a full Information Security Risk Assessment. Our experience has shown this to be the most effective and thorough approach for our clients. The key components of our approach include Internal Vulnerability Assessment (IVA), External Vulnerability Assessment (EVA) and Physical Security Assessment (PSA). Each approach will be described in the following section. 

Onsite work is performed by a CastleGarde CISSP consisting of utilizing a zero-knowledge based approach. The infrastructure is “learned” through the use of our over 20 tools. Attempts are made on cracking passwords, gaining access to servers and network equipment as well as Credit Union applications. Breaches are captured and reported in the resultant security assessment report. The report includes screen shots of compromised systems, exposure of Sensitive Member Information (SMI) and other found problems. Deliverables from these exercises are described at the end of this section. 

Work is performed remotely from Tampa, Florida, utilizing secured servers and an expanded toolset. Work is performed off hours to avoid any potential impact on your members and related services. The approach is done in a covert phase and an overt phase based on IP address information provided by you. Some credit unions notify their IPS prior to our tests, others don’t and actually test the effectiveness of their ISP to recognize, react, and report on attacks. EVAs will be performed quarterly throughout the length of the engagement as required by the NCUA as found in the most recent NCUA IS&T Checklist. The previous Collins Community Credit Union contract only called for annual EVAs to be performed. 

The PSA includes and addresses specific requirements as outlined by 12 CFR Part 748, Appendix A regarding identification and controls associated with the physical location of SMI and other information, all relative to the physical aspects of your environment. Social Engineering is performed to attempt to gain access to secured areas, testing both your external and internal access and facility controls. This work is also done covertly (with your approval) and overtly. The PSA is done in conjunction with onsite IVA portion of the engagement.

These approaches and methodologies are standard project management approaches affording us the opportunity to utilize standard project management tools during execution of the engagement. The use of the tools allows for the Credit Union to monitor the progress of the project and better manage Credit Union staff and resources that will be utilized throughout the engagement.

Deliverables: Information Security Technology Risk Assessment Services

The key deliverables of the Risk Assessment are listed below. The files will also be provided in CD in a standard, machine readable format (Microsoft Word 2003, Microsoft PowerPoint, PDF).

The next few pages provide more detail on the work performed in each respective section of the Risk Assessment.