The next step in the risk assessment process is to identify the vulnerabilities in your information systems. In order to conduct a thorough review of the information system you will need to examine multiple sources of information and utilize varied testing methods.
Information sources:
- Business team: Work with your business users to understand how they conduct their activities. You may find some vulnerabilities in the underlying information systems by asking how they conduct their day:
- Do your business users access a business-critical system while teleworking without VPN or strong access controls?
- IT team: Work with the IT team to understand how operations run and how information systems are configured:
- Do the development team's test and development environments have unfettered internet access?
- Change control:
- Are changes to the production information system passed through a change control board?
- Are those changes reviewed and approved by all stakeholders including security?
- Technical tools: Utilize technical security tools to discover and validate vulnerabilities on the network:
- Network vulnerability scanning
- Web application vulnerability scanning
- Source code vulnerability scanner
- Third-party auditing and testing: Utilize the services of third-party auditors and testers to discover the vulnerabilities within your information system:
- Compliance auditing and testing: Utilize a third party to inspect your information system for compliance with organizational compliance standards. These types of audits should include a vulnerability assessment.
- Vulnerability assessment: Have a third party inspect your organization for vulnerabilities.
-
- Penetration test: A much more intensive test than a vulnerability assessment. A penetration test takes the results of vulnerability assessment and tests the information system to see if the specific device is exploitable.
As you conduct your vulnerability assessment, ensure that you capture information related to your testing so that you can go back to the information source if there are future questions:
|
Vulnerabilities discovered |
Point of contact |
Method of discovery |
|
Storage mechanisms utilized are not redundant |
Storage team |
Interviewed team member and observed configuration. Artifact exists in the form of a configuration screenshot. |
|
Single provider for internet access is utilized |
Network team |
Interviewed team member and observed configuration. Artifact exists in the form of a configuration screenshot and services contract. |
|
No mechanism exists to monitor user behavior on the information system |
Systems team |
Interviewed team member and observed configuration. Documented that there is no mechanism in place to conduct user behavior analytics. |
|
No mechanism for privileged access management exists |
Systems team |
Interviewed team member and observed configuration. Documented that there is no mechanism in place to enforce privileged access management. |
|
Development and test servers have been placed on the internet and forgotten |
Development team external penetration team |
Interviewed team member and observed configuration. Artifact exists in the form of a penetration test report and concurrence by development team. |
|
Wet pipe sprinkler in data center |
Facilities team |
Interviewed team members. Artifact exists in the form of design information obtained from the facilities team. |