As a kick start to audit methodology,have the complete parsed asset inventory list.
Setting the perimeter for the audit on the collected information and focus on the selected scope.
This will be done in terms of:
This step will define the potential threat, common threats as well as very account specific threats with respect to the company’s nature of business.
At this stage we look for potential gaps such as:
• Insufficient Identity, Credential and Access Management
• Insecure APIs
• System and network level vulnerabilities
• Malicious Insiders
• Advanced Persistent Threats
• Insufficient Due Diligence
• Shared Technology Vulnerabilities
Based on the list of threats and the potential impact of a threat occurrence versus the chances that it actually can occur thus assigning a risk score to each issue.The vulnerabilities tagged with proper risk score would be compiled to a detailed report with mitigation plans and filled in references.