 |
 |
Giving Allies a Better Sense of Security
A major application service provider was hosting computing environments for numerous
Fortune 500 customers. Due to the sensitive nature of the systems involved, the
firm needed to demonstrate to third parties that its environment was secure and
well controlled. What's more, it needed to demonstrate that it could meet requirements
for security that were even more strict and detailed than those involved in a
typical SAS 70 audit.
So that its ASP customers could rely on the company's
services without having to do audits themselves, the organization needed a high-quality,
deep-dive assessment of its security controls. They engaged SecureIT to perform
a comprehensive, highly technical security assessment of its computing environment.
Our assessment included all the customary procedures, such as interviews with
key personnel, documentation review, and external scanning of network, host,
and application-level vulnerabilities. In addition, we performed a thorough review
of the security configurations in every component of the computing environment,
including routers, firewalls, intrusion detection systems, host operating systems,
web servers, web application servers, a directory server, and the application
itself. We based our review on control objectives that we extracted from codified
best practices published by CIS, NIST, CERT/CC, vendors, ISO, ISACA, and related
organizations.
Through our security assessment, we identified numerous security
deficiencies and control gaps that the client then addressed to improve the security
and integrity of its environment. To provide a useful context for the deficiencies
that we identified, our report included appropriate background information and
descriptions of compensating controls. For added credibility and the assurance
for third-party audiences, we listed each of the hundreds of technical control
objects that we reviewed and cross-referenced them to commonly-used best practice
standards.
|
