Expert Advice Community

Guest

Questions about vulnerability analysis

  Quote
Guest
Guest user Created:   Apr 05, 2023 Last commented:   Apr 05, 2023

Questions about vulnerability analysis

1. El análisis de vulnerabilidades técnicas a los activos de información los puede hacer la misma organización o los debería contratar con un proveedor externo especializado en seguridad ?

2. la empresa compró un appliance para el análisis de vulnerabilidades técnicas a los activos digitales, el dispositivo será gestionado por el personal del área de sistemas, eso podría generar una no conformidad en caso de una auditoría de tercera parte?

3, Cuáles son las recomendaciones para la gestión de los análisis de vulnerabilidades y Pruebas de intrusión a los activos digitales?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 05, 2023

1. The analysis of technical vulnerabilities of information assets can be done by the own organization or should they contract with an external provider specialized in security?

ISO 27001 does not prescribe who should perform the assessment of technical vulnerabilities, so organizations are free to choose the approach that best fits their needs.

2. The company has bought an appliance for the analysis of technical vulnerabilities of digital assets, the device will be managed by the systems area staff, and could this generate a non-compliance in the event of a third-party audit?

Provided that the staff managing the technical vulnerabilities’ appliance devices do not own the digital assets being assessed, there will be no problem regarding compliance with ISO 27001.

For example, systems’ owners cannot run the technical vulnerabilities' appliance over the systems they manage.

This is so to provide assurance of independent evaluation.

3. What are the recommendations for the management of vulnerability analysis and tests of intrusion to digital assets?

The main recommendations for vulnerability management take into account:

  • Definition of an asset inventory, so you have the knowledge about what you need to protect
  • Definition of roles and responsibilities, so it is clear what needs to be done by whom
  • Definition of reference sources (e.g., suppliers, manufacturers, expert groups, etc.), so you can have trustful information about vulnerabilities
  • Handle identified vulnerabilities in a systematic way
  • Make records of performed analysis

Regarding penetration tests, they should be performed considering at least these phases:

  • Planning: identification of the information systems and targets involved
  • Information gathering: collect all available information possible about the targets
  • Threat modeling: develop strategies to attack the systems
  • Vulnerability analysis: identify all vulnerabilities related to the target
  • Exploitation: effectively apply devised threats against potential vulnerabilities to try to breach the targets
  • Post-exploitation: Check what can be done once the target is breached (e.g., download files, access other systems, etc.)
  • Reporting: Document and present findings and recommendations

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 05, 2023

Apr 05, 2023

Suggested Topics

Guest user Created:   May 30, 2022 ISO 27001 & 22301
Replies: 3
0 0

Risk assessment question

Guest user Created:   Dec 22, 2018 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 and SOC

Guest user Created:   May 26, 2023 ISO 27001 & 22301
Replies: 1
0 0

Questions