Information Security Evaluation Methodology

INFOSEC Evaluation Methodology (IEM) is a follow-on methodolgy to the NSA IAM. It provides the technical evaluation processes that were intentionally missing from the IAM. The IEM is an hands-on methodology, actively interacting with the customer’s technical environment. As such the NSA intended for the IAM and IEM processes to work hand in hand.

The IAM provides an understanding of organization security as it relates to mission, policies and procedures.

The IEM offers a comprehensive look into the actual technical security of the organization.

Together, these two processes allow OZUS to more accurately determine the information security posture of our client.
The ratings of OZUS findings are based on the client’s view of their informaion’s criticality, industry-accepted ratings for each of the findings, and the expertise of OZUS evalutation team.

Phases of the IEM

Pre-Evaluation PhaseOn-Site Evaluation PhasePost Evaluation Phase
Identify Systems and BoundariesOn-Site In-BriefConduct Final Analysis
Determine System ArchitectureEvaluation TestingConsult Additional Expertise
Legal Coordination- 10 Baseline ActivitiesGenerate Final Report
Create Rules of EngagementOn-Site Out BriefCreate Security Road Map
Determine Evaluation ScopeDeliver Final Report
Develop Evaluation PlanFollow Up with Customer
On-Site Visit Coordination

IEM is Comprehensive

IEM is not just a network evaluation methodology. Although we do run scanning tools and look for network accessible services or applications, the IEM delves much deeper into the client’s technical presence.
This includes testing the configuration on all servers, hosts, routers, firewalls, and other high-assurance components.
We’ll also be testing password strength and analyzing the architure of the client network from a security perspective.

The IEM is not a Red Team activity, the IEM is cooperative with the client not adversarial.
The IEM is comprehensive in that we want to find every possible security finding we can so the client can lock it down. Therefore, we must address the entirety of the client’s technical exposure.