Questions
Some important points and typical questions that should be addressed during an assessment include:
- How is IT security organised in your company? What roles and/or committees exist, and how are their responsibilities defined?
- What policies and processes are in place relating to IT security? What is the state of your documentation? How is it implemented and checked?
- What are your company’s protection needs? What data is held in the company, and what standards does it have to meet in terms of availability, reliability and integrity?
- What technical measures have been put in place to satisfy security requirements? How is the network structured, and what protective mechanisms already exist?
- What interfaces are there between the Intranet and the Internet? How are they protected (firewalls, router, etc.)
- What information about the company is publicly available online, or can be easily found or accessed?
This information is compiled during an assessment. To do this, we interview staff,review and catalogue existing documents, and carry out research online and, where necessary, on-site. We mainly use network scanners for these tasks, such as nmap, ping, tcpping or traceroute. All activities within an assessment are non-invasive, which means we do not attempt to attack or penetrate live systems. Without the information and documents collected during an assessment, it is not possible to carry out an audit or penetration test. In other words: Without the fundamental stocktake of your security infrastructure carried out as part of an assessment, it is impossible to identify the actual object of an audit (or penetration test)!
