INFOSEC Evaluation Methodology (IEM) is a follow-on methodolgy to the NSA IAM. It provides the technical evaluation processes that were intentionally missing from the IAM. The IEM is an hands-on methodology, actively interacting with the customer’s technical environment. As such the NSA intended for the IAM and IEM processes to work hand in hand.
The IAM provides an understanding of organization security as it relates to mission, policies and procedures.
The IEM offers a comprehensive look into the actual technical security of the organization.
Together, these two processes allow OZUS to more accurately determine the information security posture of our client.
The ratings of OZUS findings are based on the client’s view of their informaion’s criticality, industry-accepted ratings for each of the findings, and the expertise of OZUS evalutation team.
Phases of the IEM
|Pre-Evaluation Phase||On-Site Evaluation Phase||Post Evaluation Phase|
|Identify Systems and Boundaries||On-Site In-Brief||Conduct Final Analysis|
|Determine System Architecture||Evaluation Testing||Consult Additional Expertise|
|Legal Coordination||- 10 Baseline Activities||Generate Final Report|
|Create Rules of Engagement||On-Site Out Brief||Create Security Road Map|
|Determine Evaluation Scope||Deliver Final Report|
|Develop Evaluation Plan||Follow Up with Customer|
|On-Site Visit Coordination|
IEM is Comprehensive
IEM is not just a network evaluation methodology. Although we do run scanning tools and look for network accessible services or applications, the IEM delves much deeper into the client’s technical presence.
This includes testing the configuration on all servers, hosts, routers, firewalls, and other high-assurance components.
We’ll also be testing password strength and analyzing the architure of the client network from a security perspective.
The IEM is not a Red Team activity, the IEM is cooperative with the client not adversarial.
The IEM is comprehensive in that we want to find every possible security finding we can so the client can lock it down. Therefore, we must address the entirety of the client’s technical exposure.