2. Network Mapping
One of the first tasks in a network audit is mapping
the network. This process is used to find out what is
running on the network. This is the systems and
services being offered.
3. Determine the scope,
what is it that you are
planning to test?
a. Individual networks
b. A subnet range
c. The entire network
d. VPN and remote sites
4. What is the Risk?
Garner Risk Pyramid
Business versus Security
5. What’s Up!
what your uptime requirements are. How long can the
organization afford to be out of action for in the
event of a:
a. Non critical single component failure, and
b. A critical single component failure,
c. Total systems failure.
7. Concept of Operations
This document details the purpose of each system (what is
the purpose of the system, what does do/provide?)
Concept of Operations documents for systems. This
document details the purpose of each system (what is the
purpose of the system, what does do/provide?)
• How it fulfills that purpose (how does it tick?)
• Component dependencies on other components, (what
parts of the system rely on
• Other parts of the system, what do they rely on them
for and how?
8. List of Mandatory
Requirements
what mandatory requirements the organization is
required by legislation, to meet. Attach copies of the
relevant parts of the legislation.
HIPPA
PCI
FERPA
9. Risk Based
Requirements
This should be a map of the prioritized
countermeasures mapped out to the risks identified
in the Risk Assessment, with specific reference to
those countermeasures designed to counter the
specific risks.
Evidence is required that illustrates why the
countermeasures are considered effective.
10. What Hackers Want To
Know
Any attacker wants to find a vulnerable system that they have
a tool to exploit. This does not mean that they need to get
a “root” level exploit first time. A low level guest account
may be enough to gain a foothold into your organization’s
systems.
• 1. What systems are available,
2. What Operating system and patch level is being run, and
3. What Application and version (patch level as well) is
available.