The purpose of an Internal Vulnerability Assessment (IVA) is to examine the effectiveness of the credit union's controls against a combination of financial industry best practices including: Gramm-Leach-Bliley (GLBA), Federal Financial Institution Examination Council (FFIEC), NIST, ISO, and PCI requirements as well as general good business sense. The six major security domains addressed during the scope of an IVA includes: User Security, Host Security, Physical Security, Network Security, Disaster Recovery, and Policies and Procedures. These domains are reviewed against industry best practices for internal network security.
Following the CastleGarde assessment methodology, an Internal Vulnerability Assessment is performed in four stages:
- Information gathering
- Identification and Testing
- Evaluation and Validation
- Analysis and Reporting
Most of the initial information gathering will take place at your site. During the identification and testing stage, CastleGarde will interview selected staff, review policy, and observe procedures. The end goal of this stage is to create a test bed to use in the resulting phases by identifying the critical information assets of the organization. Moreover, by interviewing key staff and through direct observation, CastleGarde will be able to determine the effectiveness of procedural controls in place to maintain the confidentiality, integrity, and availability of the critical information systems. This stage is most often thought of as the person-to-person stage.
Tasks in this stage include:
- Disaster recovery plan review (BCP)
- Network architecture review
- Network/Host administration procedural review
In the identification and testing stage, CastleGarde will perform manual probes of systems and run a number of security audit and assessment tools to evaluate the effectiveness of controls implemented and enforced by the systems themselves. In addition, if vulnerabilities in procedural controls or systems were exposed in the previous phase, they will be tested now.
Tasks that may be performed in this stage include:
- Firewall rule analysis
- Systems vulnerability testing
- Enterprise policy audit
- Password audit
During the evaluation and validation stage, the assessment team will validate the findings from the system testing and perform any relevant penetration tests.
The final phase of the internal assessment is conducted offsite. Utilizing the information gained in the previous three stages, the CastleGarde assessment team will perform a risk analysis to determine the organization’s risk profile. The ensuing report provides management with the tools needed to make accurate decisions with respect to the acceptance, avoidance, or assignment of risk.
Upon completion, a member of the CastleGarde assessment team will present the written report in a multimedia presentation of findings to the organization’s management team or Board of Directors (upon request). The report will include specific recommendations on mitigating or avoiding the exposed risks, along with an information security roadmap for implementing recommended changes.