Hardened Network Assessment - Securance ConsultingSecurance Consulting

1

0%

IT Governance

IT governance sets the foundation for an enterprise’s IT security posture. It requires an IT Steering Committee, IT policies, procedures, standards and guidelines and performance measures and metrics.

Select all that apply to your organization:

Are IT policies/procedures/standards/guidelines in place and followed?
Do employees receive security awareness testing and training?
Are IT policies based on a security controls framework?
Does the CISO report to the CIO?
Does an IT steering committee or equivalent exist?
Are annual compliance tests (e.g., SOX, PCI, HIPAA) performed?

N/A

0%

WAN/MAN

Remote Organization Location

Wide area networks are primarily associated with organizations that have multiple remote physical locations requiring direct connections to the enterprise’s core network. This section focuses on security and controls surrounding WAN and MAN.

Select all that apply to your organization:

Do remote locations adhere to enterprise IT policies, procedures, standards, and guidelines?
Do remote locations have limited technology (e.g., firewalls, distribution switches, workstations, and multi-function printing)?

Back

N/A

0%

Internet

Internet Presence

All organizations have an Internet presence, Internet access, and third-party connections, such as cloud providers and strategic partners. This section focuses on the security and controls surrounding an organization’s Internet presence.

Select all that apply to your organization:

Are annual external network penetration tests performed?

Back

N/A

0%

Internet

Remote User Access

All organizations have an Internet presence, Internet access, and third-party connections, such as cloud providers and strategic partners. This section focuses on the security and controls surrounding an organization’s Internet presence.

Select all that apply to your organization:

Remote user accounts are audited periodically.
Push technology is implemented to confirm device configuration.
Multi-factor user authentication is in place.
Device authentication is in place.

Back

N/A

0%

Internet

Site-to-Site VPN

All organizations have an Internet presence, Internet access, and third-party connections, such as cloud providers and strategic partners. This section focuses on the security and controls surrounding an organization’s Internet presence.

Select all that apply to your organization:

Source IP addresses are explicitly defined.

Back

N/A

0%

Internet

Cloud Providers (e.g., Office365, Box, Google, and Salesforce)

All organizations have an Internet presence, Internet access, and third-party connections, such as cloud providers and strategic partners. This section focuses on the security and controls surrounding an organization’s Internet presence.

Select all that apply to your organization:

SSAE 18 Type II reviews are performed annually.
Cloud service provider (CSP) security options are implemented.
Multi-factor authentication is implemented according to data classification standards.
Comprehensive auditing is enabled.
Data is encrypted in transit and at rest.
Data loss prevention (DLP) is enabled.
An anti-phishing/anti-spoofing solution is enabled.

Back

N/A

0%

Internet

Remote Vendor Access

All organizations have an Internet presence, Internet access, and third-party connections, such as cloud providers and strategic partners. This section focuses on the security and controls surrounding an organization’s Internet presence.

Select all that apply to your organization:

User authentication is in place for vendor accounts.
All accounts are named user accounts.
Vendor account activity is monitored in real time.
Vendor accounts are periodically audited.
Vendor accounts are active for 30 or fewer days.

Back

N/A

0%

ISP and Next-Generation FIREWALL

Internet Router – ISP Managed

All organizations with Internet access have an Internet service provider (ISP) and a firewall to protect them from bad actors on the Internet. This section provides important security and controls related to the ISP and the Internet-facing next-generation firewall.

Select all that apply to your organization:

The ISP’s responsibility for securing the router is documented.
We annually review and confirm the ISP’s patch/security report.

Back

N/A

0%

ISP and Next-Generation FIREWALL

Next-Generation Firewall

All organizations with Internet access have an Internet service provider (ISP) and a firewall to protect them from bad actors on the Internet. This section provides important security and controls related to the ISP and the Internet-facing next-generation firewall.

Select all that apply to your organization:

“Any, any, any” rules are disabled.
The firewall configuration is reviewed annually.
Risky services are disabled.
All rules have comments.
Unnecessary services are disabled.
All rules have an explicit source, destination, and service/application.
All traffic is logged.
Changes to the firewall adhere to our change management policy.

Back

N/A

0%

Web Application

Web Application Firewall

Many organizations enable customers to interact with them via a web application. Securing web applications has become a critical component of securing an enterprises overall technology environment. This section provides basic controls for securing web applications.

Select all that apply to your organization:

Web-application vulnerability assessments are performed periodically.
URL filtering and enabled and configured.

Back

N/A

0%

Web Application

User Provisioning

Many organizations enable customers to interact with them via a web application. Securing web applications has become a critical component of securing an enterprises overall technology environment. This section provides basic controls for securing web applications.

Select all that apply to your organization:

Administrator accounts are managed.
User accounts are managed.
User accounts are configured according to the principles of role-based security and least access.
Our organization practices security-conscious application development.
Inactive accounts are disabled.

Back

N/A

0%

Core Router and WIFI

CORE ROUTER

In this section, we begin to evaluate the internal network. A properly configured core router/switch is the start of a secure internal computing environment.

Select all that apply to your organization:

Access control lists are in place.
The firmware is updated frequently.
The configuration of the core router is reviewed annually.
Unnecessary services are disabled.
Risky services are disabled.

Back

N/A

0%

Core Router and WIFI

Enterprise WIFI Network

In this section, we begin to evaluate the internal network. A properly configured core router/switch is the start of a secure internal computing environment.

Select all that apply to your organization:

The guest WiFi network is for Internet access only.
Our WiFi networks are encrypted, with WPA2 as the minimum standard.
Device authentication is required.
Rogue device detection and management are enabled.
User authentication is required.
The guest SSID captures user identification.
WiFi traffic is logged and monitored.
There is a disclaimer message for guest WiFi access.
The internal WiFi network can access the enterprise internal network and the Internet.

Back

N/A

0%

Active Directory

Typically, a network has a directory service technology, such as Active Directory, and a network access control (NAC) solution. In addition, there is an access layer switch and defined user VLANs. This section provides important security and controls related to Active Directory, NAC solution, and access layer switching.

Select all that apply to your organization:

The Active Directory password policy meets NIST standards.
An industry-standard audit policy is enabled and configured.
A real-time change monitoring solution is implemented and configured.
An automated password reset solution is in place.
Domain and enterprise accounts are managed.
Service accounts are managed.
User accounts are periodically audited.
Password vault software is implemented and configured.

Back

N/A

0%

Active Directory

NAC

Typically, a network has a directory service technology, such as Active Directory, and a network access control (NAC) solution. In addition, there is an access layer switch and defined user VLANs. This section provides important security and controls related to Active Directory, NAC solution, and access layer switching.

Select all that apply to your organization:

Access to network resources is based on the principle of least privilege.

Back

N/A

0%

Active Directory

Distribution-Layer Switch

Typically, a network has a directory service technology, such as Active Directory, and a network access control (NAC) solution. In addition, there is an access layer switch and defined user VLANs. This section provides important security and controls related to Active Directory, NAC solution, and access layer switching.

Select all that apply to your organization:

Configuration reviews are performed annually.
Unnecessary services are disabled.
The firmware is updated frequently.
Risky services are disabled.

Back

N/A

0%

Active Directory

User VLAN

Typically, a network has a directory service technology, such as Active Directory, and a network access control (NAC) solution. In addition, there is an access layer switch and defined user VLANs. This section provides important security and controls related to Active Directory, NAC solution, and access layer switching.

Select all that apply to your organization:

End-of-life/end-of-support operating systems are decommissioned.
Users do not have local admin access.
USB drives are in read-only mode.
An EDR solution is installed.
An anti-virus/anti-malware solution is installed.
Local workstation firewalls are enabled.
Workstations are configured to meet CIS standards.

Back

N/A

8

0%

Server Farm VLAN

Enterprise Applications

The final section of this high-level hardened enterprise network assessment focuses on enterprise applications and network storage. Effective data security is one of an enterprise’s most valuable assets. These questions provide insight into how the enterprise protects its data.

Select all that apply to your organization:

User accounts are managed.
User access is configured according to the principles of role-based security and least privilege.
Inactive user accounts are disabled.
User behavior tracking and analytics software is implemented and configured.
Administrator accounts are managed.
User access is periodically reviewed.
Application-specific security assessments are performed periodically.
Follow-up assessments are performed after security vulnerabilities have been remediated.

Back

N/A

0%

Server Farm VLAN

Enterprise Storage

The final section of this high-level hardened enterprise network assessment focuses on enterprise applications and network storage. Effective data security is one of an enterprise’s most valuable assets. These questions provide insight into how the enterprise protects its data.

Select all that apply to your organization:

Direct user access to enterprise storage is prohibited.
Access to enterprise storage is limited to applications.
Fabric security features are enabled.
SAN security features are enabled.
Unnecessary services are disabled.

Back

N/A

ASSESSMENT COMPLETED!

Thank you for completing the high-level assessment.

We hope you find this information helpful in improving the security posture of your technology environment. If you have any questions, please contact us.