Setting a baseline for cybersecurity assessments
The first step in developing a strategy to safeguard the systems of a business is to analyze the current situation; to do this, we must reach a joint understanding of the “as is” scenario. Management expectations, technologies in use, and other requirements will vary depending on the industry.
What can you expect in a provider of IT network assessments?
Your provider should be able to come up with a recommended plan of assessments specific to your environment. Not all types of assessments are necessary for every industry. Your MSP should have the depth of experience required to perform different types of assessments focused on the overall health of the IT ecosystem, network, virtualization, and security. Your provider should also be well schooled in the latest compliance regulations to enable clients to meet new requirements as they emerge.
We focus on two key areas
What are your business objectives and needs over the next three years?
What is the state of your current IT environment?
Why should you choose Corserva to assess the state of your IT?
Corserva’s experts bring a wealth of knowledge and experience regarding the specific regulations tied to regulated vertical industries such as financial services and healthcare. With a foundation of these requirements and other vertical industry best practices, we spend time with your management team reviewing specific concerns you may have, above and beyond the basic industry guidelines.
A Comprehensive Look at your Entire IT Environment with our Assessments
Base Network Assessment
Our Base Assessment provides a complete view of the entire IT environment including all devices that are connected to the network (servers, switches, firewalls, routers, printers, end user devices, etc.). The analysis generates profiles of each device on the network including the hardware components, O/S and patch levels, applications and associated licenses, current antivirus solutions, signature update status, and warranty/support status. In addition, the base analysis identifies open ports that should be closed.
For companies that have deployed large numbers of virtual servers, or who want to prepare for virtualization projects, this assessment provides the required foundation for planning purposes. For current virtual machines (VMs), the assessment identifies all current configurations as well as VM “sprawl,” which can be created by the constant addition of new VMs without elimination of unused VMs. This assessment provides an accurate view of the workload support required for new or expanded virtual environments.
All companies are concerned about the state of their cybersecurity resilience. And we know that while it is necessary, it is certainly not sufficient to have advanced firewall and endpoint protection in place. We must identify malware as it moves around within your internal network. And, we must identify end user behavior that significantly increases target surface area (vulnerability). The Cybersecurity Assessment places a sniffer in your network for a week to capture traffic moving within your internal network. This data is then analyzed in our Cybersecurity Lab to identify both malicious code moving within your network as well as user actions that serve to increase your risk of attack.
Network Penetration Testing
Once issues from the Base Assessment and Cybersecurity Assessment have been addressed, penetration testing can validate assumptions that all data is secure and the network cannot be hacked. Whereas the Base Assessment and Cybersecurity Assessment are analyzing your network and providing resulting to-do lists of areas to address, penetration testing is the act of purposely trying to break into the network or access data. A successful round of internal and external penetration testing will tell you that your network is truly secure. The results of a test penetration will expose any external vulnerabilities and their associated impact, including internet, IP addresses, firewalls, email servers, and web servers.
The National Institute of Standards and Technology (NIST) develops and issues standards, guidelines, and other publications to assist in managing cost effective programs to protect information and information systems of federal agencies. NIST 800-53 provides a catalog of security controls for all US federal information systems except those related to national security.
Manufacturers that provide parts and equipment for suppliers serving federal and local governments must be compliant with the latest NIST 800-171 regulation by the end of 2017. Learn more in the white paper, “What Manufacturers Should Know About NIST 800-171.”
NIST dictates how Controlled Unclassified Information (CUI) is stored and accessed. Learn more in the blog posts:
- 3 Myths About NIST 800-171 and NIST Compliance
- Leveraging NIST Assessments to Become NIST Compliant
- Learn the Truth About NIST Compliance in the Next 90 Seconds
Corserva offers a specific program to enable manufacturers to become NIST compliant with a NIST assessment. View the solution brief to learn more about Corserva’s program for NIST assessments.
NIST 800-171... Will you be ready?
Customized for the healthcare industry, as an extension of the Base Assessment, Corserva can provide an assessment of your HIPAA compliance against HIPAA security rules. Combining the data collected in the Base Assessment, plus on-site physical checks of certain practices and policies, we can provide a HIPAA compliance review report.
The Corserva HIPAA audit includes:
Master HIPAA Policy and Procedures document
HIPAA Risk Analysis
HIPAA Management Plan
Evidence of HIPAA Compliance report
PCI DSS Assessment
The Payment Card Industry Data Security Standard (PCI DSS) requires companies that store, process, or transmit credit card information to protect that information to reduce credit card fraud. Corserva’s PCI DSS Assessment checks to see if your company is storing data in a way that meets the requirements of this information standard in the areas of security, data archiving, and accessibility. Methods of all types of data storage are analyzed including onsite, cloud, and remote.