Dutch | French | Spanish | Portuguese | Italian | German | Norwegian | Japanese | Chinese | Korean | Russian | Arabic

A critical first step for an assessment project is to come to a common understanding on what composes an assessment. Often you have to spend a great deal of time with potential customers just defining what they are looking to accomplish with the “assessment” process.The term assessment has been used loosely for years to describe everything from an audit to “attack and penetration” testing. NSA has broken up what has been traditionally called assessments into a threephase, top-down approach.

1. Assessment The assessment is an organizational-level process that focuses on the nontechnical security functions within an organization. In the assessment, we examine the security policies, procedures, architectures, and organizational structure that are in place to support the organization. Although there is no hands-on testing (such as scans) in an assessment, it is a very hands-on process, with the customer working to gain an understanding of critical information, critical systems, and how the organization wants to focus the future of security.

2. Evaluation The evaluation is a hands-on technical process that looks specifically at the organization from a system/network level to identify security vulnerabilities that exist in those systems and can be mitigated through technical, managerial, or operational means. Evaluations are often confused with assessments.The IAM specifically focuses on the assessment, but elements of evaluations can be included in the IAM process. NSA calls this a Level 1+ assessment.This includes doing technical analysis of the firewalls, intrusion detection systems, guards, and routers. It may also include some basic vulnerability scans of the customer’s networks. In addition, the IAM process provides excellent information that leads into future evaluations.

3. Red teaming Red teaming, often called attack and penetration testing, is a process whereby someone imitates an adversary looking for security vulnerabilities to make it easy to break into a system or network.This is often called the low-hanging fruit because these vulnerabilities are the easiest means into the customer network.