This is a specialized version of security testing and risk assessment. It is primarily focused on the configuration and effectiveness of the tools and controls of the environment. Infrastructure assessment does a "real-time" assessment of the security controls within organization security operational processes. Think in this case of standard components included in the infrastructure of an organisation such as routers, web, proxy and application servers, firewalls and databases.
Technical and process review all in scope information assets. This includes:
- Access control capabilities, specifically privilege access control. The privilege access control process defines how the organization grants “root access” to applications and information systems, as well as direct access to certain classes of protected information.
- Network security processes and technologies within the network infrastructure. This step includes compensating security controls, Firewalls, IPS/IDS, threat intelligence, specific network security configurations within network appliances, and much more.
- The system security processes and technologies. This step includes security controls within server and workstation environment such as endpoint compliance, integrity controls, encryption, and much more.
Infrastructure assessments are critical for validating existing organizational controls and supporting processes. The result is essential for confirming controls concerning coming compliance review, identifying configuration issues, and identifying ineffective controls.