Cloud Security Assessments:
As an extension of our cyber security capabilities, Visual Soft provides cloud security assessments. We understand the technical and management challenges of performing security assessments in cloud environments, such as defining roles and responsibilities in multi-tiered cloud architectures, managing dynamic system inventories, providing secure key management and incident management in the cloud. Our assessment methodology aligns with NIST’s Risk Management Framework (RMF Step 4) and includes the following phases:
- Preparing for the Assessment – Visual Soft will validate system boundaries, components, security categorization, interview key stakeholders and review all available system documentation in preparation for the assessment.
- Security Assessment Plan (SAP) – Visual Soft will document testing assumptions, constraints, dependences, Rules of Engagement and a proposed assessment schedule. The SAP will include test procedures and assessment methods aligned with NIST SP 800-53A.
- Conducting the Assessment – Once we obtain approval, Visual Soft will execute the SAP. We will keep detailed working papers to ensure each test result is thoroughly documented and categorized (e.g. met, partially met, and not met). We will also provide explanations for all partially or not met tests.
- Developing the Security Assessment Report (SAR) – The SAR will provide analysis of each finding, the potential impact (threat and vulnerability analysis), risk ratings and preliminary recommendations.
- Plan of Action and Milestones (POA&M) Recommendations – Based on feedback from the presentation of our findings, and discussions with stakeholders, Visual Soft will provide recommended POA&Ms (final POA&Ms are implementation are the responsibility of the client organization).
- Conducting Penetration Testing – Clients may desire penetration testing to provide enhanced assurance of their system or infrastructure’s security. Visual Soft customizes penetration test plans for each client’s objectives, but generally follows the 4-phased approach as described in NIST SP 800-115 (Planning, Discovery, Attack and Report).