SAFE offers clients a variety of assessment offerings that are customized and executed based on agreed upon parameters that meet the needs, goals, and/or regulatory requirements of the organization. The types of assessments SAFE offers include, but is not limited to:
- Vulnerability Assessments
- Penetration Testing
- GLBA Compliance Assessments
- FFIEC Cybersecurity Framework Assessments
- Risk Assessments
- IT Controls Reviews
- Web Application Testing
- Mobile Device Testing
- Social Engineering Assessments
At SAFE, you will not find a boiler-plate process to Vulnerability Assessments. We tailor each assessment to every organizations unique environment. The assessment goals and process are developed based on the criteria discussed and agreed to by both SAFE personnel and the client.
SAFE uses a combination of automated tools and manual techniques to conduct the assessment. This can include things such as:
- Vulnerability Scanning
- Policy & Procedure Review
- Review of in-place processes
- Physical Security reviews
- Active Director GPO reviews
- Firewall reviews
- IDS/IPS reviews
- Audit log reviews
- Business Continuity / Disaster Recovery program review
- Segregation of Roles & Responsibility review
- Encryption Implementation reviews
- Network/Data Flow Diagram reviews
- Evaluate Patch Management Program
- Review System Hardening Standards
At the conclusion of each Vulnerability Assessment, SAFE provides each client with a detailed report of not only the findings of the assessment, but also with detailed recommendations on ways to eliminate, mitigate, and reduce the risks associated with gaps in the organization’s security posture.
One of the key components of creating a secure environment is for organizations to understand where their vulnerabilities are and how attackers will try to exploit them. While most organizations do their best to protect their critical assets, the in-depth testing of their security is not always completed.
When conducting Penetration Tests, SAFE personnel target an organization’s critical cyber assets using the tactics, techniques, and procedures an actual attacker may use. Through this process, organizations will gain a better understanding of vulnerabilities they face, how well their asstes are protected and the ways to help mitigate the risks they face. It will also help in the identification of misconfigurations within systems. In conjunction with a comprehensive security program, Penetration Tests can help reduce the risks of a data breach occuring by identifying exploitable vulnerabilities and allowing an organization to remediate them before they are exploited.
Our Penetration Testing services follow a systematic approach that begins with the defining of the scope of the engagement. Here the client and SAFE agree to the parameters of the engagement and clearly define the goals and expectations. We work together to understand the threats an oganization faces, their critical assets, and the type of attackers that may wish to compromise the organization.
Once the engagement scope is established, target reconnaissance begins. This is where SAFE personnel will gather information about the clients environment, to include, but not limited to: systems, applications, users, valid email addresses, username structures, departments, and more. This is all information that may be used to exploit vulnerabilities found in the next phase.
During the next phase, we identify the vulnerabilities within the organization and determine the best way to exploit them.
After exploitable vulnerabilities are identified, SAFE personnel attempt to exploit the identified vulnerabilities using a variety of tools and processes that include open source, publicly available or commercial penetration testing tools.
Finally, SAFE provides a detailed report of their findings, the results of exploitation attempts, and recommendations on how the organization can mitigate the risks it faces.
Web Application Testing
Web Application assessments are designed to identify vulnerabilities, misconfigurations, and other issues that pose a threat to an organization’s web applications.
The Web Application assessment process includes three phases:
- Once an engagement has started, SAFE personnel will work with site administrators to become more familiar with the web application and environment. They will discuss current backup and recovery procedures, determine the assessment period, to include hours of the day, and ensure current process will allow for the quick recovery of the application in the event of a problem.
- At this point, the assessment will be conducted during the previously agreed upon assessment period. During the assessment, SAFE personnel will conduct automated scans of the application, manual scans to verify false positives discovered during the automated scans, and manual testing from the application user perspective.
- Finally, a summary report is compiled, which will include an executive summary of the results, along with detailed results and recommendations on remediation steps. Note: After remediation efforts have been completed, clients may request an additional automated scan of the application to ensure issues have been resolve and that no new vulnerabilities have been introduced during the remediation process.
Regulatory Compliance Assessments
SAFE’s Regulatory Compliance Assessments identify compliance and security vulnerabilities within an organization’s enterprise in order to help reduce our clients overall risks and provide valuable information that may be used to help thwart a data breach before it occurs.
Our team uses industry-leading solutions to identify technical vulnerabilities, while also using our expertise to ensure physical and administrative risks are identified and remediation recommendations are provided. Tools may include automated testing, personnel interviews, policy reviews, procedural and process evaluations, in-depth analysis and more.
Each recommendation our team members provide have been customized to meet the client’s current operating environment. Our reports only include relevant information for the client receiving it, while being prioritized based on the level of risk a particular finding poses to the organization.
Ensuring you are compliant with Gramm-Leach-Bliley Act (GLBA) and Federal Financial Institutions Examination Council (FFIEC) regulatory requirements is critical for financial institutions. As such, our Regulatory Compliance Assessment reports provide you a detailed roadmap to ensure you remain compliant or the steps required to become compliant.
FFIEC Cybersecurity Assessments
FFIEC Cybersecurity Assessments evaluate a client’s compliance based on the FFIEC Cybersecurity Assessment Tool. SAFE personnel review the overall compliance of the organization based on the pre-determined maturity level of the client.
Assessors will examine the current cybersecurity posture of the organization. This will be done using the FFIEC Cybersecurity Assessment Tool, where SAFE personnel will review evaluate each domain:
- Cyber Risk Management & Oversight
- Threat Intelligence & Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience
Once complete, SAFE clients can expect to receive results showing their current, assessed Maturity Level, along with areas that need to be addressed. Each report will be customized with recommendations for the client based on their complexity and current operating environment.
Risk Assessment, the foundation of any organizations Information Security Program is a strong Risk Management Program.
SAFE’s Information Security Risk Assessments are designed to provide clients with a tailored assessment that not only meets regulatory compliance (Gramm-Leach-Bliley Act (GLBA) and the Federal Financial Institutions Examination Council (FFIEC) guidelines establish the need for financial institutions to perform risk assessments), but meets organizational goals based on strategic, operational, and risk tolerance objectives.
As part of a SAFE Risk Assessment, we look at many of the different types of risks an organizations faces, to include, but not limited to: