NoPasara™ offers a comprehensive Information Security Assessment Service – focusing on information as one of your most important assets.
Benefits of choosing NoPasara as your INFOSEC Assessment Vendor:
- Unmatched Methodology
While others just run tools and follow a single procedure, we have taken the best guidelines used by the US military and have combined their strongest areas into a single information security assessment methodology.
We have combined the guidelines of FEDRAMP and FISMA, with best practices from the NSA and DISA. Together they comprise an assessment of your information assets which is unmatched in its quality.
- Our focus is achieving the highest possible levels of security for your network
Instead of just writing a report, our value-added consulting service begins during the initial phases of the assessment and continues after it has passed – and our information security experts will provide you with valuable and easy to follow advice on securing your infrastructure from attacks.
- Amazing Customer Support
Our team is highly technical and friendly – you can always rely on us to be there for you no matter the time of day or night.
Our information security assessments are performed within a standards-based framework and strictly following the standards issued by:
- National Security Agency (NSA) – following the (NSA) Information Security Assessment Methodology (ISAM)
- National Institute for Standards & Technology (NIST) – NIST SP 800-53
The assessment is an company-wide process focusing on non-technical security aspects. During the assessment, we examine the security policies, procedures, standards, architectures and practices that are in place to support the business. Although there is no manual testing (such as scans or penetration tests) in an assessment, it is a very practical process, with the customer working to achieve an understanding of critical information, critical systems, and how the organization wants to target the future of its information security.
Please, do not confuse Evaluation with Assessment: during the evaluation phase, we examine the technical aspects of your security controls at the endpoint/network level to identify and mitigate any security vulnerabilities found via technical or managerial methods. The ISAM specifically focuses on the assessment, but elements of evaluations can be included in the IAM process. NSA calls this a Level 1 + assessment. This includes doing technical analysis of the firewalls, intrusion detection systems, guards, and routers. It may also include some basic vulnerability scans of the customer’s networks. In addition, the ISAM process provides excellent information that leads into future evaluations.
During this process our team will imitate an adversary looking for security vulnerabilities and if possible, we will break into the network just as they would. Penetration testing is often compared to “low-hanging fruit”: the exploits used to take advantage of the vulnerabilities found are the easiest way to get inside your corporate network.
An INFOSEC assessment:
- Determines which information is critical to the organization
- Identifies the systems that process, store, or transmit that critical information
- Determines the current INFOSEC posture for these systems
- Determines the proper INFOSEC posture for these systems
- Identifies potential vulnerabilities
- Recommends solutions to mitigate or eliminate those vulnerabilities
Nonattribution is the act of not establishing a specific individual as responsible for something. This is the specific term we use to describe the process of reporting findings without laying “blame” on any individuals.
The major difference between an assessment and an audit or inspection is the overall goal of the process. The audit or inspection is normally understood to be a check for compliance, often bringing with it consequences for failure. This process tends to create a very unfriendly environment in which the people you need to work with are wary and cautious in their dealings with you due to their fear of being held directly responsible for the findings-which will happen, because nonattribution is not an aspect of your typical audit. In opposition to this concept, we have the goal of an assessment process, which is to help or assist the customer organization in improving its INFOSEC posture, not to pass judgment. In fact, we have often witnessed an organization request an assessment as a means of preparing for an audit. The concept of providing assistance cannot be overstated; many individuals who have been involved with assurance checks in the past likely felt as though they were inspected in a rather judgmental light. An assessment based on our process can be an excellent tool for preparing for any upcoming audits. It allows the organization to work on meeting goals or compliance requirements in a friendly and cooperative environment. Audits also carry a declaration of fault in regard to inefficiencies; the ISAM, on the other hand, is what some people like to call a no-fault or nonattribution process. The objective is to assist in improving security rather than assign blame to anyone who may have forgotten to implement a patch or verify a backup tape. When something like that does occur, it is more likely due to a process and procedure failure, not someone trying to circumvent the system. People are more liable to be honest and forthcoming when they understand that their actions and answers will not be attributed directly to them but merely addressed as a finding in the final report. The ISAM will not put a name next to any pieces of information gathered. Any conclusions drawn in regard to attribution are not done so by the assessment team.
We need to understand your business to a very deep level before we even start assessing your information security. For that purpose, we will hold several interviews with key employees / management to ensure we are on the same page regarding the expectations for our service. Be prepared to uncover areas of importance you have never thought about.
The next step is planning the assessment itself – as resources will need to be assigned from both sides for a relatively long time frame – depending on your company size, from several days to 2-3 weeks.
The Information Security Assessment is not focused on technical controls – as they are just 12%-15% of the controls needed to protect Information.