An Internal Configuration and Vulnerability Assessment (CAVA) is a hands-on, privileged security inspection consisting of two components. First, we look at the configuration of systems to evaluate the strengths and weaknesses of your information system’s design and technical / operational controls. Then we run a vulnerability scan on your internal network to identify vulnerabilities that are specific to your system and devices. We use the credentials of domain administrators, which allows us to look at things like domain registries and patches.
Through the Assessment, we will:
A Sage Data Security expert will meet you onsite at your location to perform data collection in person. We conduct the configuration review using automated and manual open source, commercial and proprietary tools, interviews, and observation techniques. Administrative credentials are required to perform the Configuration Assessment.
We conduct the Vulnerability Assessment using a licensed commercial vulnerability scanner that supports a wide range of network devices, operating systems, databases, and applications. While administrative credentials are optional for the vulnerability scans, we encourage using them to scan Microsoft Windows environments because the results will be more accurate, and will better expose the system’s vulnerabilities.
Sage experts perform the Data Analysis Phase of the Assessment offsite by reviewing the data we’ve collected. In the Configuration Assessment Analysis, we compare each system and assign compliance ratings in accordance with industry standard and regulatory best practices. In the Vulnerability Assessment Analysis, we review the results of the vulnerability scans to ensure that the most relevant information is included in a clear and concise manner.
Once we have analyzed the data, we will schedule a meeting with you, generally via WebEx, to review the results with you step by step.
The Internal Configuration and Vulnerability Assessment (CAVA) report includes: