At the start of a screening assignment the size, complexity and vulnerability of the object must become clear. Together with the applied screening methods used, this determines how much time should be spent on a screening. This why determining the right scope is important prior to carrying out IT security screenings. In order to determine the scope for either a screening of applications or the IT infrastructure, a few crucial issues will be established during an intake consultation and be used as starting points.
The price of the IT security screening consists of 2 components: the (day/hourly) rate and the budgeted time of the screening. The estimate will contain a description of the approach based on the framework of standards and/or best practices for the screening to be carried out. It will also clearly be indicated what can be expected of VASC and which preconditions must be present in order to perform a proper screening.
The IT security screening will be scheduled after determining the scope and allocating the assignment. Are there any special requests concerning the scheduling? Should we, for example, consider the date of going live? Or is the screening part of an audit that the organisation has to deal with? It is recommended that these issues are addressed at the earliest possible stages.
When scheduling, it is also advisable to consider the time that is needed (if necessary) to eliminate the discovered risks and carry out the subsequent re-screening. Based on the desired scheduling and the pre-established scope, we can determine which team of specialists can best be implemented. In accordance with their availability, we will then establish a definitive schedule together.
The customary contracts and general conditions for IT service provision may serve as the basis for a contract with general conditions (GC). When drafting a contract for carrying out an IT security screening we apply the following specific points of interest:
- Permission and indemnification and the proper establishment of the (technical) scope of the assignment through URLs, IP addresses and/or network ranges.
- Confidentiality: it is important for all parties that (the results of) the IT security screening is handled with utmost confidentiality.
- Limiting liability: it is customary to limit the liability of both parties to the relative scope of the assignment.
Upon completion of the IT security screening the VASC will provide a thorough report of all its findings from the screening.
This report will include the following information:
- The scope of the screening
- The implementation dates of the screening
- Management summary
- Conclusion based on the risks discovered
- The risks discovered
- Description of the risk or evidence of the risk
- Classification of the risk
- Advice concerning the measures to be takencovered
As soon as the VASC report is supplied it is important that the results are carefully examined. Follow-up actions may be defined in this report. The most positive outcome of the IT security screening and the report is that there are no findings. However, the opposite is often the case in practice. The impact for the organisation and the costs to mitigate the finding must usually be established for every finding.
For findings with a high risk level the choice is often quite clear. However, for medium and in particular for low-risk findings the organisation has to make careful decisions. These decisions may include implementing procedural changes to such an extent that the risk and/ or impact of a finding is reduced - preferably to nil, but in any case to an acceptable level for the organisation.
After carrying out a screening and resolving the findings, it is recommended to perform a re-screening to find out if it has been done properly. Depending on the number of adaptations made to resolve the findings, the VASC can carry out a partial screening. However, it may also be necessary to carry out a complete, new screening in order to determine if the measures that have been taken have not caused any new vulnerabilities. A complete re-screening is recommended once several months have passed since the original screening was carried out. This increases the likelihood that not only all findings will have been resolved, but also that other adaptations can be made and functionality is either added or removed.
Once it has been decided to perform a re-screening, we will provide details concerning which findings are related to the re-screening.
We recommend that IT security tests be approached on a structural level. In practice it often appears that these tests are carried out ad-hoc or only periodically (with a low frequency and limited scope).
Developing a clear policy regarding IT security tests can offer colleagues a better understanding of when certain applications and IT infrastructures should be tested at which frequency and according to which method. Besides these periodic tests, it should also be considered to test new IT projects.