Page 166 - DCAP309_INFORMATION_SECURITY_AND

Page 166 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY

P. 166

Information Security and Privacy

Notes IAM is subdivided into three phases: Pre-Assessment, On-Site Activities, and Post-Assessment.
The Pre-Assessment phase is proposed to build up a general perceptive of customer needs,
classify target systems, and institute the “rules of engagement” for the assessment. Pre-Assessment
concludes with a written measurement plan.
The On-Site Activities segment displays the primary thrust of IAM in that it takes the effects of
the Pre-Assessment Phase, validates those effects, and performs additional data assembly and
validation.

The consequence of this phase is a statement of initial analysis. In conclusion, the Post-Assessment
phase concludes the IAM by pulling jointly all the details from the preceding two phases,
mixing them into a final analysis and report.
IAM training is usually broken into four modules. The first module offers a background for and
summary of IAM. The succeeding three modules each concentrate on a phase, beginning with
Pre-Assessment, moving on to On-Site Activities, and closing with Post-Assessment.
This methodology is usually high-level and no technical. In contrast, IAM is approximately
comparable to the presentation of a full SAS 70 Type II assessment. The testing starts with paper
based definitions, and then moves into a stage of basic corroboration of those definitions,
without doing major technological testing.
As it addresses Level 1 of the “Vulnerability Discovery Triad,” IAM does not contrast directly to
IEM, but is as an alternative the first step of the on the whole process, leading up to IEM in Level
2. IAM may best be compared to OCTAVESM below in that it is a non-technical evaluation of
vulnerabilities and, by expansion, risk.

11.4.2 INFOSEC Evaluation Methodology (IEM)

Its purpose is to provide a technique for technically assessing susceptibility in systems and to
legalize the actual INFOSEC posture of those systems.
The IEM is a escort methodology to IAM, fitting under the on the whole umbrella of the
IA-CMM framework, but target Level 2 of the “Vulnerability Discovery Triad.” As such, IEM
functions hand-in-glove with IAM, comparing the overall process format approximately exactly.
The key differentiation between IAM and IEM is that the IEM performs actual hands-on assessment
of systems in order to authenticate the actual existence of vulnerabilities, as opposed to the
IAM’s consequence of document probable vulnerabilities in those systems.
Alike to the IAM, the IEM is separated into three stages: Pre-Evaluation, On-Site, and Post-
Evaluation. The Pre-Evaluation phase starts with taking the IAM Pre-Assessment report as input
and then coordinating the regulations of engagement for carry out technical assessment of the
systems under objective. This phase terminates with a Technical Evaluation Plan.
The On-Site phase of the IEM then displays the bulk of the hands-on technical work, performing
diverse discoveries, scans, and evaluations. All findings are physically validated to make sure
accuracy.
Lastly, the Post-Evaluation phase concludes the methodology in a way similar to the IAM by
pulling together all data produced, putting it into a final report that details findings, suggestions,
and a security roadmap.

Did u know? The IEM closes with purchaser follow-up and support.

160 LOVELY PROFESSIONAL UNIVERSITY

161 162 163 164 165 166 167 168 169 170 171