Information Technology Reference
In-Depth Information
n
−
Determine compliance requirements (to-be).
Industry best practices and vendor recommendations assist in determin-
ing ideal operating state of existing infrastructure.
Hardware settings
Application
Servers
Clients
IT infrastructure
Routers, switches
IA infrastructure
FW, VPN, AV, IDS
Operating system
Servers, clients, routers, switches, FWs, etc.
Parameter settings
Background processes
Patch levels
Applications
COTS
In-house
Scan existing infrastructure (as-is).
Perform technical scan of existing infrastructure.
Perform a gap analysis between as-is and to-be.
Compare scan results against ideal operating state.
Remediation plan (a.k.a. transition plan)
Develop a plan to get from as-is to to-be.
A valid part of the plan is a waiver process; this is an acknowledgment that
the to-be state may be ideal, but for some reason (typically cost), the remedia-
tion plan is not feasible.
n
−
−
−
−
−
−
−
n
−
−
−
−
n
−
−
n
−
n
−
n
−
n
8.11.1.1 Deliverables
Vulnerability assessment deliverables include the following documents:
n
−
Current operating state (as-is)
Nontechnical assessment questionnaire (if applicable)
Assessment questionnaire determines policy and procedure as-is.
Include traceability to compliance requirements; this is the basis for
the assessment, the to-be comparison.
Technical assessment
Vulnerability scan
Assessment determines part of practice as-is.
Eyes-on and hands-on validation
Assessment determines other part of practice as-is.
n
n
−
n
−
n
−
