Isolation of Sensitive Systems
I would like to request for your comment or idea on which I still doubt on how to check this point "Isolation of Sensitive Systems" - According to identified risks, do sensitive application systems operate in an isolated processing environment?
I would very much appreciate for your kindly comment and any idea.
Assign topic to the user
This question can be answered from two points of view: auditor and pen tester.
From the auditor's point of view, you need to check the evidence that shows isolation is implemented (e.g., network topology, pentest report, etc.)
From a pen tester's point of view, to check isolation you need to try to access the systems from outside their defined perimeter of work (i.e., environment).
For example, if a system stated environment is the companies premises, you should try to access it from outside the companies premises, like:
- from a side street, trying to find out a hide wireless connection
- from the company's website, trying to explore a site vulnerability
In case the system stated environment is a single room int the companies premises, or it is disconnected from the main company's network, you should try to access by:
- trying to find out a hide wireless connection
- trying to explore an intranet vulnerability
- trying to physically access a network device connected to the system
- trying to get physical access to the room
This article will provide you a further explanation about exploring vulnerabilities:
- How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/
Comment as guest or Sign in
Nov 18, 2020