Scribd
Upload
30 views19 pages

ISSAF

The Information Systems Security Assessment Framework (ISSAF) is a comprehensive methodology for security testing that evolves to meet internal control requirements across various industries. It consists of three phases: Planning, Evaluation, and Treatment, each with specific work packages to standardize security assessments and identify vulnerabilities. The framework aims to enhance the integrity and efficiency of information systems by providing detailed procedures for testing and risk management.

Uploaded by

ScribdTranslations
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
30 views19 pages

ISSAF

The Information Systems Security Assessment Framework (ISSAF) is a comprehensive methodology for security testing that evolves to meet internal control requirements across various industries. It consists of three phases: Planning, Evaluation, and Treatment, each with specific work packages to standardize security assessments and identify vulnerabilities. The framework aims to enhance the integrity and efficiency of information systems by providing detailed procedures for testing and risk management.

Uploaded by

ScribdTranslations
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

information systems security assessment framework

ISSAF
KEINIS VANESA GONZALES MINDIOLA
JORGE ZAIN YARURO MASTER
LUIS ALBERTO TORRES RAMOS
ELMER LUIS MAESTRE PACHECO
ISSAF
It is one of the most interesting frameworks in the field of
testing methodology. Conduct a detailed analysis of all the
possible aspects that affect security testing.
History and vision
ISSAF is constantly evolving a framework that can
model the internal control requirements for security of the
information.
ISSAF covers the main technology platforms of the
information, most of the operational processes related to
High-level TI, and it is intended to be applicable to the main
verticals of the industry, such as banking, manufacturing, and services.
Objective
Provide very detailed procedures for system testing.
information
•Act as an end-to-end reference document for the
security assessment.
Standardize the system security evaluation process
information.
•Establecer el nivel mínimo de proceso aceptable.
Provide a baseline on which one can (or should) carry out a
evaluation
To evaluate the protections implemented against unauthorized access.
authorized.
This ISSAF approach is based on using the shortest path to
achieve the set objectives, trying to find flaws that may
to exploit itself, with minimal effort. The objective of this framework of
evaluation is to provide integrity and accuracy to the systems of
information, in addition to efficiency in security assessments.
Phases
The three phases are respectively
Planning, Evaluation, Treatment
accreditation and maintenance. Each one
these phases have work packages
specific that are generic for all
organizations, regardless
of its size, its areas of results
specific keys and their location
geographical.
Phase 1 Planning
This phase includes the initial steps for the exchange of
information, plan and prepare for the test
The activities that are done in this phase would be:
Identification of the contact persons from both parties.
Meeting Opening to Identify the Scope.
The approach and the methodology.
The exact dates.
The test times.
Privilege escalation.
Phase 2. Evaluation
In this phase, the penetration test is specified, which is carried out through
of 9 layers, each layer represents a higher level of access to the
activos de la información , La fase de evaluación proporciona un
holistic approach to assess security risks of the
information in a company.
Information collection
In the gathering of information, all should be explored.
means by which we can obtain some type of information.
2. network work probe
From the previous layer, we take the relevant information to the network,
we analyze the possible topology of the company, there is a large amount
of tools or applications that can be applied at this stage.
NMAP example
3. Identification of vulnerabilities
Possible vulnerability scanning
already identified. - List and enumerate the
vulnerabilities found.
Calculate the possible impact of the
vulnerabilities found.
Identify possible attack routes
and possible exploitation spaces.
4. Penetration or intrusion
The auditor will try to evade security measures to attempt to
to go as far as possible in terms of access level of the
information refers to.
5. Gain access and escalate privileges
Possible intrusions are confirmed and documented. At this stage
it is also intended to obtain administrator privileges, to avoid
blockages that could occur due to antivirus, firewall, and others
security mechanisms.
6. Additional enumeration
obtaining additional identification through more inclusive techniques, analyzing network traffic, collection of
cookies, email analyzer, among others, and compromise remote users and sites by addressing
privileges completed in step 5 and information detected in steps 4 and 6 are analyzed external tests
7. Compromise remote users and sites
Communications between users through remote sites and networks
businesses can use encryption authenticity methods,
VPN example, but this is not a guarantee that the endpoints have not
have been intervened.
8. Access maintenance
Tunnel software, backdoors, and rootkits among others, I am not very
used since it is possible for an attacker to discover them and obtain
system access and privileges.
9. Covering tracks
It is normal for this step to take place during testing so that
be as transparent as possible. In this step, files are hidden and
they erase the records since if an attacker gains access to our
the system will try to erase any record or evidence.
Phase 3. Treatment
Risk management provides a platform for making a
decision on residual risks, through the selection of
safeguards, the development of implementation plans and the
supply of precise documentation for the implementation and the
decision-making process.
Thank you very much

You might also like