In keeping with Mt Xia's overriding mentality of automation, our toolsets enable the ability to respond to audit requests via a "self-service" interface which grants access to audit information only to authorized auditors. This relieves the system administration staff from having to gather, format, and provide this information to numerous different auditors, several times a year. Depending upon the size of the organization, this automated audit response system can save hundreds of thousands of dollars per year.
The automation of audit response is achieved through the integration of several Mt Xia toolsets. These toolsets continuously gather information about the systems and generate audit documentation containing this information. These documents are uploaded to Mt Xia's content management system and made available to auditors upon request. The only on-going task for the system administrator, is to grant or deny access to auditors.
IAM is a detailed and systematic method for examining security vulnerabilities from an organizational perspective as opposed to a only a technical perspective. Often overlooked are the processes, procedures, documentation, and informal activities that directly impact an organization's overall security posture but that might not necessarily be technical in nature.
NSA developed the IAM to give organizations a repeatable framework for conducting organizational types of assessments. We can also provide clients, appropriate information on what to look for in an assessment provider.
The IAM is also intended to rase awareness of the need for organizational types of assessment versus the purely technical type of assessment.
National Security Agency's IAM is a baseline measurement of the controls implemented to protect information that is transmitted, processed, or stored by a specific system. Simplified, this is a measurement of the security posture of a system or organization.
| Pre-Assessment Phase | On-Site Assessment Phase | Post Assessment Phase |
|---|---|---|
| Identify Information Criticality | On-Site In-Brief | Additional Documentation Review |
| Identify System Configuration | Interview Site Personnel | Finalize Analysis |
| Set Scope of the Assessment | System Demonstrations | Consult Additional Expertise |
| Documentation Request | Documentation Review | Generate Recommendations |
| Documentation Review | On-Site Out Brief | Final Report Coordination |
| Team Assignment | ||
| Pre-Analysis | ||
| Site Visit Coordination |
The OICM is based on the client decisions about the information types within their own organization that are critical for the completion of their mission and meeting organizational goals.
Defines those specific systems that process, transmit, or store the client's critical information. These are the key information systems that have the greatest impact on the client's operations. From a technical perspective, these are the systems that will be most focused on during any technical evaluations that occour in conjuction with the IAM assessment process. From a purely organizaitonal perspective, these are the systems that need the deepest scrutiny because the compromise or complete loss of these particular information systems would most likely have a distinct and often painful impact on the organization.