Standards Based Assessment
The Standards Based Assessment (SBA) is a full spectrum assessment that addresses not only the technical issues of risk management, but also assesses the compliance, organizational, personnel, business continuity, and contractual aspects of the information security process. The SBA provides a comprehensive evaluation of the overall risk posture of an organization, identifying deviations between an organization’s information network and the 127 requirements of the ISO 17799 security standard.
Price:
The price for a Standards Based Assessment is dependent on the complexity and distribution of the network to be assessed. Determining requirements include factors like the number of servers, desk tops, firewalls, intrusion detection systems, office locations connected to the network, the number and types of operating systems, and travel expenses.
Projected Schedule:
Time to complete the Standards Based Assessment varies depending on the complexity of the network. As a general rule, one week is spent on-site gathering the necessary data and one to three weeks are spent assessing the data, documenting results, and preparing reports.
Deliverables:
Executive Summary - The Executive Summary details vulnerabilities that received a ranking of High or Med-High and provides a table listing all vulnerability rankings identified.
Standards Based Assessment Report - The SBA Report documents the system architecture, system security requirements, protection mechanisms, and resources.
Findings and Risk Vulnerabilities Report - This report identifies vulnerabilities, assigns risk levels, and recommends remediation.
Security Test and Evaluation Plan and Procedures Report – This report lists each security requirement, identifies the test methodology, and provides an impact statement for each requirement.
Vulnerability Scan Data – Raw scan data.
Security Requirements Traceability Matrix – This report relates requirements from source documents to the security assessment process. It ensures that all security requirements are identified and evaluated. Each row of the matrix identifies a specific requirement and provides the details of how it was tested or analyzed and the results.
