Internal Vulnerability Assessment (IVA)

Internal Security Assessment (ISA)

Includes penetration testing

The purpose of an Internal Security Assessment (ISA) is to examine the effectiveness of the credit union's controls against a combination of financial industry best practices including: Gramm-Leach-Bliley (GLBA), Federal Financial Institution Examination Council (FFIEC), NIST, ISO, and PCI requirements as well as general good business sense. The six major security domains addressed during the scope of an ISA includes: User Security, Host Security, Physical Security, Network Security, Disaster Recovery, and Policies and Procedures. These domains are reviewed against industry best practices for internal network security.

Following the CastleGarde assessment methodology, an Internal Security Assessment is performed in four stages:




Identification and


Evaluation and


Analysis and

Internal Security Assessment Stages


Information gathering

Most of the initial information gathering will take place at your site.


Identification and Testing

During the identification and testing stage, CastleGarde will interview selected staff, review policy, and observe procedures. The end goal of this stage is to create a test bed to use in the resulting phases by identifying the critical information assets of the organization. Moreover, by interviewing key staff and through direct observation, CastleGarde will be able to determine the effectiveness of procedural controls in place to maintain the confidentiality, integrity, and availability of the critical information systems. This stage is most often thought of as the person-to-person stage.

Tasks in this stage include:

  • Disaster recovery plan review (BCP)
  • Network architecture review
  • Network/Host administration procedural review
  • Cloud-based services review

CastleGarde will perform manual probes of systems and run a number of security audit and assessment tools to evaluate the effectiveness of controls implemented and enforced by the systems themselves. In addition, if vulnerabilities in procedural controls or systems were exposed in the previous phase, they will be tested now.

Tasks that may be performed in this stage include:

  • Firewall rule analysis
  • Systems vulnerability testing
  • Enterprise policy audit
  • Password audit

Evaluation and Validation

During the evaluation and validation stage, the assessment team will validate the findings from the system testing and perform any relevant penetration tests.


Analysis and Reporting

The final phase of the internal assessment is conducted off-site. Utilizing the information gained in the previous three stages, the CastleGarde assessment team will perform a risk analysis to determine the organization’s risk profile. The ensuing report provides management with the tools needed to make accurate decisions with respect to the acceptance, avoidance, or assignment of risk.

Upon completion, a member of the CastleGarde assessment team will present the written report in a multimedia presentation of findings to the organization’s management team or Board of Directors. The report will include specific recommendations on mitigating or avoiding the exposed risks, along with an information security roadmap for implementing recommended changes.