Question Yes No Business requirements documentation

Transcription

1 Advanced Security Partner Services Assessment Checklist Question Yes No Business requirements documentation 1 Do you have a standard process and associated deliverable to collect a customer's business requirements for a security so lution? If so, does your business requirements deliverable include the following 1a Identifying the customer's communications requirements to support their business-level initiatives 1b Identifying opportunities for the customer to improve productivity and collaboration in the security practice 1c Identifying opportunities for the customer to streamline operations with their security practice 1d Identify ing opportunities for the customer to reduce costs Statement of work development 2 Do you use a standard Statement of Work (SOW) form for security engagements? If so, does your standard SOW include the following components: 2a Is there a section for project completion criteria? 2b Are partner and customer responsibilities well-defined, including project assumptions? 2c Is there a section that defines the escalation procedure? 2d Is there a section that defines the change management process? Site survey performance 3 Do you have a standard process and associated deliverable for completing security site surveys? If so, does your site survey deliverable include the following 3a Details ab out the customer s site and facilities 3b Data in frastructure 3c Data appl ication 3d Security applications Secur ity policies and procedure review 4 Do you have a standard process and associated deliverable for evaluating and providing recommendations on a customer's security policies and procedures? If so, does your security policy and procedures deliverable include the following 4a A well-d efined purpose, scope, and security responsibilities 4b Corporate, departmental, and technology policies 4c Security policies Project planning 5 Do you create a security solution project plan that identifies the work breakdown structure for the plan, design, and implement phases? If so, does your project plan include the following components: 5a Associate d tasks outlined in sequential order 5b Timelines associated with each sequential task 5c Required skill levels associated with each sequential task Version 1 Advanced and Master Security Specializations Page 1

2 5d Associate d dependencies noted with the project plan Secu rity readiness assessment 6 Do you have a standard process and deliverable for performing a security readiness assessment? If so, do es your security readiness assessment process include the ability to execute the following: 6a Assessing the customer's existing network for security solution readiness 6b A ssessing the customer's existing software operations procedures 6c Assessing the customer's existing security management procedures 6d Creating a security readiness assessment report 6e Formal presentation of the security readiness assessment report to the customer Cisco Security Agent product configuration 7 Do you have a standard process and template for the configuration of Cisco Security Agent? If so, does your Cisco Security Agent product configuration checklist document the following: 7a Configurations cre ated for groups, rule modules, and policies 7b Attaching a rule to a policy 7c Attachin g a policy to a group 7d Genera ting rule programs Cisco Security Agent product implementation 8 Is there a process to report observed incidents of attempted intrusion during a vulnerability assessment? If so, does your Cisco Security Agent implementation ch ecklist document the following: 8a All Cisco networking and applications devices to be implemented 8b Hardware and software configurations 8c All hardware and software installation tasks and checklists 8d How to set the security policies type to each Cisco Security Agent 8e Policy fine-tuning activities 8f Definition s for installation, commission, and network connectivity test tasks Acce ptance testing and network ready for use (NRFU) testing 9 Do you have a standard process and deliverable for the development and execution of a security acceptance test plan? If so, does your security acceptance test plan document the following: 9a Network topology overview with diagrams and a project contac t list 9b NRFU tes t process 9c Final se curity configurations 9d NRFU cus tomer acceptance with signature and date Version 1 Advanced and Master Security Specializations Page 2

3 Master Security Partner Services Assessment Checklist Question Yes No Technical requir ements documentation 10 Do you have a standard process and associated deliverable to collect th e customer's technology requirements for a security solution? If so, does your technology requirements deliverable include the following 10a Do the activities for developing a security strategy include conducting a preliminary technical discovery? 10b Do the se curity strategy development activities include conducting a technology strategy meeting? 10c Does the process include the developm ent of a technology strategy? 10d Does the process include the effort of formally presenting the technology st rategy to the customer? Vulnerability assessment 11 Does your company conduct security vulnerability assessments? If s o, does your methodology include the following 11a Focus o n security standards, safeguards, and controls for local, national, and international regulations as applicable? 11b Use of scanning, and penetration tools as part of your vulnerability assessment methodology? 11c A standard process and methodology to detect and restore network, service degradation, and or outage, as a result of performing the vulnerability assessment? 12 Do you have a standard methodology for conducting all types of vulnerability assessments (internal, external, and remote VPN access)? If so, does your methodology include the following 12a Flowchart(s) detailing the operational process followed during all vulnerability assessments 12b A completed delivery matrix for the vulnerability assessment, mapping your se rvice deliverable areas to the three types of vulnerability assessments (internal, external, remote access) 12c Internal (intranet) security assessment 12d External ( Internet) security assessment 12e Remote access assessment 13 Do you have a standard methodology for conducting penetration testing of selected critical network and computing assets? If so, does your methodology include the following 13a Conductin g port scans to find vulnerabilities 13b Activitie s to exploit known vulnerabilities 13c Penetra tion testing of open ports trying to gain administrative level access 14 Does your vulnerability assessment include a standard methodology for conducting customers employee role and responsibility interviews? If so, does your methodology include the following informati on: 14a Interviewing various security roles and responsibilities within the customer' s organization 14b Questions for current and future network and security operations initiatives Version 1 Advanced and Master Security Specializations Page 3

4 15 Does your vulnerability assessment methodology assess customer operating system security, telecommunications security, architecture security, and protocol security? If so, doe s your methodology include the following: 15a Operating system security, such as Microsoft Windows, UNIX, and Linux 15b Telecommunications security, such as network and system infrastructure, LAN, WAN, remote access, wireless, and firewall access control 15c Architecture security, such as firewall access control, intrusion prevention, and host-based security 15d Protocol security such as TCP/IP, User Datagram Protocol (UDP), H.323, Session Initiation Protocol (SIP), peer-to-peer, and instant messaging 16 Do you have a process to report observed incidents of attempted intrusion during a vulnerability assessment? If so, does your report include the following 16a The lists of the systems by IP address and summary of attempted intrusions associated with each IP address 16b Report sorted by vulnerability so that all systems with the same vulnerability are grouped 17 Does your vulnerability assessment report include specific vulnerability findings for external, internal, and remote access? If so, does your vulnerability assessment report include the following 17a Topology maps and diagrams of a customer s network 17b Vulnerabilities, descriptions, and systems penetrations and identified levels of risk 17c Potential secondary vulnerabilities 18 Does your vulnerability assessment report include recommended corrective actions? If so, do your corrective actions include the following: 18a Proposed technical solutions based on findings of the vulnerability assessment 18b Proposed leading practices templates for vulnerability assessment remediation 18c Hardware or software updates 18d Configuration changes 19 Do you have policies and procedures for ensuring privacy of the vulnerability assessment findings? If so, does your methodology include the following: 19a Controlled access of the information 19b Limited access to the findings after the end report is produced Version 1 Advanced and Master Security Specializations Page 4

5 Version 1 Advanced and Master Security Specializations Page 5