The control objective is to ascertain whether adequate technical security controls have been implemented to secure the infrastructure, platforms hosting the critical Business application systems for the organisation.
The Assessment approach adopted starts with reviewing the network diagram/ topology/ network traffic profile and understand security devices deployed to protect organisations information assets.
Assess Application Threat profile and build Threat Vulnerability Asset Matrix, understand weak links in application, evaluate if weak links in application can be exploited
Assess the Risk of the underlying Information Assets and carry out Risk Rating and reporting with remedial action plan
Assess the adequacy of the Data Integrity, Privacy & Security controls
Carry out Testing of Key controls through technical vulnerability assessment and penetration testing
Assess Application system Architecture, Authentication, Authorization & Audit process controls
Assess the adequacy of the inbuilt Application Input, Process & Output controls ( say for e.g have concept of Dual control implemented for high value transaction, Monetary value validation, Error handling etc)