GW IT Security Assessment

GW Information Technology (IT) maintains a comprehensive program for application security. At the heart of this program is our security assessment process. We’ve prepared the following FAQ to help guide you through this process and to explain the terminology that is commonly used when interacting with the security assessment team. If you have additional questions, please contact us at [email protected].

1) How do I request a new security assessment?

Visit go.gwu.edu/securityassessment to request a security assessment.

2) I filled out the form. What are the next steps?

Your request will now be considered for inclusion in the assessment calendar. Based on the information you provide we will do our best to perform the assessment in a manner that allows you to meet your project objective(s).

3) Why can’t I add an assessment to the calendar myself?

Previously, the security team received assessment requests through a variety of channels, including some direct additions to the calendar without consultation. Some requests were made with limited notice. Other assessments were not able to begin on time due to project delays. A more structured and mature approach to this process was needed to ensure optimal customer outcomes while allowing the security team ample time to complete its work.

4) What is a vulnerability scan?

A vulnerability scan is an automated assessment of known vulnerabilities for a given host or application. Some customization and configuration may be required, but most often, the assessor can quickly perform this scan, remove any false positives, and report the findings. A vulnerability scan is generally the least time consuming aspect of a security assessment, but is a vital first step to assessing more complex aspects of an application or system.

5) What is an application assessment?

For desktop, mobile, and web applications, the assessor employs numerous testing techniques and tools to evaluate the security of that application. Many of these techniques and tools are applied manually, meaning that the assessor must manually “walk through” an application using specialized tools. This is usually the most complex and time consuming aspect of a security assessment. While some of these tools allow for some scripting and automation, generally these are used for single-purpose testing, such as for testing the login pages for a given application.

6) What is a Host Assessment?

In a host assessment, the assessor will evaluate the security of the machine where the application(s) run. This includes the operating system and any processes or software that run on that host system but are not considered to be part of the application. A host assessment will review the configuration against best practices, including the Center for Internet Security (CIS) Benchmarks.

7) What is a network assessment?

A network assessment will cover the network posture and logical accessibility of a given application. For example, an internal-use only system should not be open to the public Internet. In this case the assessor would evaluate what services are available from the public Internet and what, if any, access is allowed from other untrusted networks.

8) What is the high-level process for a security assessment?

The process for a security assessment generally looks like this:

  1. Request the assessment.

  2. Request is reviewed and prioritized.

  3. The assessment is scheduled on the security calendar in consultation with the requestor.

  4. Assessment is performed as dictated by the calendar.

  5. Application owners/admins perform corrective actions.

  6. Application is approved for production.

9) My application is not going to be ready in time to be assessed. What do I do?

Let’s talk. The sooner you let us know, the sooner we can see if we can move another assessment up on the calendar. If you wait until the week before or the day of to delay, it will be more difficult to accommodate your request. In these cases, we may not be able to perform the assessment. Please contact the AVP, Information Security to discuss the challenges you are having and what alternatives may be available.

10) How long will my assessment take?

It depends on the complexity of the application and what assessment components are being performed. We typically allow for 80 hours (two weeks) to perform an application security assessment. This allows the assessor to perform their work, document results in a Security Assessment Report (SAR) and a Plan of Action and Milestones (POAM) and communicate these results to the project manager and business owner. In some circumstances, an assessment may take longer than 80 hours. In these cases, you will be informed ahead of time of this recommendation.

The timeline for a vendor security assessment is difficult to predict due to multiple variables. Vendors may respond quickly to the assessment questionnaire, or take much longer, depending on their workflow and load. Work with our Appsec team and your vendor after requesting a third party security assessment.

11) What is a SAR?

The Security Assessment Report (SAR) summarizes the results of the assessment, the steps taken, and the findings and recommendations. It’s a lengthy document that should never be shared publicly or with a vendor. If you need to share a SAR with a vendor, request a redacted SAR. This can be prepared by the assessor but keep in mind that this takes additional time.

12) What is a POAM?

The Plan of Action and Milestones (POAM) summarizes all findings of a security assessment. It allows for the project manager, business owner, and technical leads to document corrective actions taken, plan for corrective actions, and to track their work.

13) What do you expect of an architecture diagram?

A useful architecture diagram will cover the following:

  • The network topology of the application including IP addresses, network exposure, relevant ports and protocols, and various relationships with other network resources

  • The data flow of the application including how data gets into an application (e.g. API, direct entry) and where it flows once data is input

  • All in-scope aspects of the system. If you don’t know its scope yet, ask yourself “what are the core services that are required for my application to run?” The answer to that question should be covered in the architecture diagram.

Here is an example of a simple diagram:

Example of a simple architectural diagram