Information Systems Security Assessment Framework (ISSAF) Draft 0.1
1 ABOUT ISSAF
1.1 PREFACE
Today, the evaluation of Information Systems (IS) security in accordance with business
requirements is a vital component of any organizations business strategy. While there
are a few information security assessment standards, methodologies and frameworks
that talk about what areas of security must be considered, they do not contain specifics
on HOW and WHY existing security measures should be assessed, nor do they
recommend controls to safeguard them.
The Information System Security Assessment Framework (ISSAF) is a peer reviewed
structured framework that categorizes information system security assessment into
various domains & details specific evaluation or testing criteria for each of these
domains. It aims to provide field inputs on security assessment that reflect real life
scenarios. ISSAF should primarily be used to fulfill an organization’s security
assessment requirements and may additionally be used as a reference for meeting other
information security needs. ISSAF includes the crucial facet of security processes and,
their assessment and hardening to get a complete picture of the vulnerabilities that might
exists.
The information in ISSAF is organized into well defined evaluation criteria, each of which
has been reviewed by subject matter experts in that domain. These evaluation criteria
include:

A description of the evaluation criteria.

Its aims & objectives

The pre-requisites for conducting the evaluations

The process for the evaluation

Displays the expected results

Recommended countermeasures

References to external documents
Overall framework is large, we chose to provide as much information as possible on the
assumption that it would be easier for users to delete material rather than develop it. The
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 3/9/2016
Page 2 of 17
Information Systems Security Assessment Framework (ISSAF) Draft 0.1
Information System Security Assessment Framework (ISSAF) is an evolving document
that will be expanded, amended and updated in future.
1.1.1 What are the Objectives of ISSAF?

To act as an end-to-end reference document for security assessment

To standardize the Information System Security Assessment process

To set the minimal level of acceptable process

To provide a baseline on which an assessment can (or should) be performed

To asses safeguards deployed against unauthorized access

To act as a reference for information security implementation

To strengthen existing security processes and technology
1.1.2 What are the Goals of ISSAF?
The goal of the ISSAF is to provide a single point of reference for security assessment.
It is a reference that is closely aligned with real world security assessment issues and
that is a value proposition for businesses. To this aim the ISSAF has the following highlevel agenda:

Evaluate the organizations information security policies and ensure that they meet
industry requirements & do not violate any applicable laws & regulations

Identify critical information systems infrastructure required for the organizations
business processes and evaluate their security

Conduct vulnerability assessments & penetration tests to highlight system
vulnerabilities thereby identifying weaknesses in systems, networks and applications

Evaluate controls applied to various security domains by:
o
Finding mis-configurations and rectifying them
o
Identify known and unknown risks related to technologies and address them
o
Identify known and unknown risks within your people or business processes
and address them
o

Strengthening existing processes and technologies
Prioritize assessment activities as per system criticality, testing expenses, and
expected benefits

Educate people on performing security assessments
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 3/9/2016 Page 3 of 17
Information Systems Security Assessment Framework (ISSAF) Draft 0.1

Educate people on securing systems, networks and applications

Provide information on
o
The review of logging, monitoring & auditing processes
o
The building and review of Disaster Recovery Plan
o
The review of outsourcing security concerns

Compliance to Legal & Regulatory Standards

Create Security Awareness

Effective Management of Security Assessment Projects

Guarding against social engineering exploitation

Physical security control review
This approach is based on using the shortest path required to achieve one’s goal by
finding flaws that can be exploited efficiently, with the minimal effort. The goal of this
framework is to give completeness and accuracy, efficiency to security assessments.
1.1.3 Why we had come up with ISSAF?
After working on many information assurance projects, the lack of a comprehensive
framework that provides information security assurance through performing standardized
vulnerability assessment, penetration testing, security assessment and security audit,
was felt.
ISSAF is a comprehensive and in-depth framework that helps avoid the risk inherent in
narrow or ineffective security assessment methodologies. In ISSAF we have tried to
define an information system security assessment methodology that is more
comprehensive than other assessment frameworks, it seeks to mitigate the inherent risk
in the security assessment process itself. It helps us understand the business risks that
we face in performing our daily operations. The threats, vulnerabilities, and potential
exposures that affect our organizations are too huge to be ignored.
At this particular time it is not the answer to every question or situation, but we are
committed to continuous improvement by improving current topics and adding new
topics.
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 3/9/2016 Page 4 of 17
Information Systems Security Assessment Framework (ISSAF) Draft 0.1
ISSAF has laid the foundation; now it’s your turn to benefit from it, whether you use it as
is or tailor the materials to suit your organization needs. Welcome to ISSAF, we hope
you will find it useful.
1.2 TARGET AUDIENCE
This framework is aimed at a wide spectrum of audiences that include:

Internal and External Vulnerability Assessors, Penetration Testers, Security Auditors
and Security Assessors

Professionals responsible for information security perimeter security

Security engineers and consultants

Security assessment project managers

Information system staff responsible for information security

System/network/Web administrators

Technical and Functional Managers
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 3/9/2016 Page 5 of 17
Information Systems Security Assessment Framework (ISSAF) Draft 0.1
1.3 CONTRIBUTORS
1.3.1 Contributor Contacts and References
-Ascending order by Name
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 3/9/2016 Page 6 of 17
Information Systems Security Assessment Framework (ISSAF) Draft 0.1
1.3.2 Contributors as per Domain
Domain
Author[s]
Project Management
S.Saravanan and Balwant
Rathore
Best Practices – PreAssessment, Assessment, Post
Balwant Rathore
Assessment
Evaluation of Third Party
Contracts
Assessment Framework
Contributor[s]
Viraf Hathiram
S.Saravanan
Omar Herrera
Dieter Sarrazyn
Balwant Rathore
Balwant Rathore
Umesh Chavan
Johnny Long
Gareth Davies
Technical Control Assessment
Methodology
Balwant Rathore
Pukhraj Singh
Param Singh
Dieter Sarrazyn
Kartikeya Puri
Review Information Security
Policy And Security
Umesh Chavan
R.S. Sundar
Organization
Review Risk Assessment And
Umesh Chavan
Classification
Balwant Rathore
Major Gajendra Singh
Bernardo Reino aka lepton
Password Security
Miguel Dilaj
Piero Brunati
Matteo Brunati
Password Cracking Strategies
Unix /Linux System Security
Assessment
Pietro Brunati
Miguel Dilaj
Arturo "Buanzo" Busleiman
Balwant Rathore
Kartikeya Puri
Jayesh Thakur
Linux Audit Check-List
Hiten Desai
Linux Audit Tool
Hiten Desai
Solaris Audit Check-List
Jayesh Thakur
Solaris Audit Tool
Vijay Ganpathy
Windows System Security
Bernardo Reino aka lepton
Balwant Rathore
Arturo "Buanzo" Busleiman
Dieter Sarrazyn
R.S. Sundar
Kartikeya Puri
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 3/9/2016 Page 7 of 17
Information Systems Security Assessment Framework (ISSAF) Draft 0.1
Assessment
Windows Security Audit Tool
Desktop Security Checklist -
Oscar Marin
Dieter Sarrazyn
Umesh Chavan
Balwant Rathore
Balwant Rathore
Kartikeya Puri
Database Security Assessment
K. K. Mookhey
Balwant Rathore
Wireless Security Assessment
Balwant Rathore
Windows
Novell Netware Security
Assessment
Wi-fi Security Assessment
Physical Security Assessment
J Sheik Abdulla
Anish Mohammed
Balwant Rathore
Balwant Rathore
Umesh Chavan
Switch Security Assessment
Balwant Rathore
Cesar Tascon
Router Security Assessment
Balwant Rathore
Manish Uboveja
Firewall Security Assessment
Balwant Rathore
Dieter Sarrazyn
Default Ports – Firewall
Intrusion Detection System
Security Assessment
Default Ports – IDS/IPS
VPN Security Assessment
Anti-Virus System Security
Assessment And Management
Strategy
Web Application Security
Web Application Security –
SQL Injections
Vinay Tiwari
Balwant Rathore
Rishi Pande
Balwant Rathore
Balwant Rathore
Umesh Chavan
Miguel Dilaj
Balwant Rathore
Hemil Shah
Balwant Rathore
IIS Audit Check-List
Hernan Marcelo Racciatti
And Disaster Recovery
Dragos
Gabrial O. Zabal
Balwant Rathore
Business Continuity Planning
Oliver Karow
Vinary Tiwari
Web Server Security
Binary Auditing
Dieter Sarrazyn
Hernan Marcelo Racciatti
Rahul
Balwant Rathore
R.S. Sundar
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 3/9/2016 Page 8 of 17
Information Systems Security Assessment Framework (ISSAF) Draft 0.1
Disaster Recovery Planning
Social Engineering
Kalpesh Doshi
Umesh Chavan
Dragos
Incident Analysis
Muhammad Faisal Rauf Danka
Storage Area Network (SAN)
Balwant Rathore
Security
Hari Prasad Chede
Internet User Security
Balwant Rathore
Review Of Logging / Monitoring
R.S. Sundar
& Auditing Processes
Umesh Chavan
Assess Outsourcing Security
Concerns
Security Awareness And
Training
Balwant Rathore
Balwant Rathore
Kartikeya Puri
Thanzeer
Umesh Chavan
R.S.Sundar
Salman Ashraf
Patrick
Balwant Rathore
Knowledge Base
Legal Aspects Of Security
Balwant Rathore
Assessment Projects
Sandhya Khamesra
Dos Attacks: Instigation And
Mitigation
Jeremy Martin
Virus & Worms
Jeremy Martin
Cryptography
Jeremy Martin
Non-Disclosure Agreement
(NDA)
Balwant Rathore
Security Assessment
Balwant Rathore
Contract
Sandhya Khamesra
Request For Proposal
Template
Vulnerability Assessment /
Penetration Testing Lab
Links
Report Template
Balwant Rathore
Hamid kashfi
Balwant Rathore
Marko
Marko Ruotsalainen
Balwant Rathore
Umesh Chavan
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 3/9/2016 Page 9 of 17
Information Systems Security Assessment Framework (ISSAF) Draft 0.1
1.3.3 Key Contributors Introduction
Umesh Chavan
Umesh Chavan is an information security professional with over 7 years of Experience &
holds a CISSP. He is currently working with CoreObjects, India where he is involved in
the development of security products. Prior to this he worked with JP Morgan Chase as
an Information Risk manager & as an Information Security Specialist with Larsen &
Toubro Infotech Ltd. He has exposure to the various domains in security and has a
unique blend of both process & technical knowledge. He likes conversing with people,
sharing new ideas and enriching his knowledge not necessarily restricted to the field on
information security.
Miguel Dilaj
Born in 1971 Started using computers in 1982 (venerable C64).
Migrated to Amiga in the late 80's (still have and use regularly a
PowerPC Amiga) Became involved with PC and AS/400 in the
90's. First serious use of Linux in 1998 (RedHat 5.1), tried
FreeBSD, NetBSD and OpenBSD and fall back to Linux RedHatbased,
Slackware-based
and
Debian-based
distros
tried.
Currently using Debian-based, Continuous Windows use from
3.0 up to XP Pro Became deeply into IT Security in '98, when it started to be possible to
have real control of the situation (i.e. Linux!) Started training other people in Linux and IT
Security in 2000, currently working in the Quality Assurance and Automation fields
(Computerized System Validation) Interested in clusters and their use for password
auditing
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 3/9/2016 Page 10 of 17
Information Systems Security Assessment Framework (ISSAF) Draft 0.1
Piero Brunati
Co-founder of Nest (www.nestonline.com) where he performs
Research, Ethical Hacking and develops software, he tries hard
to mitigate customers' nightmares. He begun butchering
computers since the good old 70's, when he spent his first salary
to buy the components he used to solder his first computer (8008
CPU, 2k static RAM, 2k EPROM, serial and parallel I/O).
K. K. Mookhey
K. K. Mookhey is the Founder and Chief Technology Office of Network Intelligence
(www.nii.co.in), an information security consulting firm. He has provided security
consulting services to Fortune 500 companies and industry segment leaders in India,
Middle East, and North America. He has pioneered the development of the AuditPro
suite of security auditing software, as well as initiated the research efforts within the
company. His vulnerability research team has found security vulnerabilities in products
from vendors such as Oracle, Symantec, and Macromedia. He is a regular contributor to
the Infocus series of articles on SecurityFocus, as well as various industry journals such
as IS Control and IT Audit. He is the author of a monograph on "Linux Security Audit and
Controls" commissioned by the Information Systems Audit and Control Association
(ISACA). He is also the author of the chapter on “Web Application Attacks” in the
upcoming version of the OWASP Guide.
Dieter Sarrazyn
Dieter Sarrazyn has been an information security consultant and
trainer for more than 6 years now.
Dieter is a certified and experienced Professional in the areas of
creating secure information systems and network architectures,
Performing
Security
Audits
of
Systema
and
Network
infrastructures, performing penetration tests and installing and
configuring firewall and VPN solutions. Other expertise lays in the areas of system and
network management, installing and configuring antivirus solutions and installing &
configuring mail relay systems.
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 3/9/2016 Page 11 of 17
Information Systems Security Assessment Framework (ISSAF) Draft 0.1
Dieter first worked as a Security Engineer in a Network Integration Company and then
moved towards Security Consulting at the company he's still working for. His main tasks
are performing penetration testing, security auditing and teaching the Hacking Inside Out
course. He is also a Local Mentor for SANS tracks 1 and 4.
Dieter has earned the following certifications: CISSP, GSEC, GCIH, CCSA & CCSE.
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 3/9/2016 Page 12 of 17
Information Systems Security Assessment Framework (ISSAF) Draft 0.1
1.4 DOCUMENT ORGANIZATION AND CONVENTIONS
1.4.1 Document Organization
This framework briefly discusses the requirements for security assessments and
explains in detail the methodology of security assessments. The sections are organized
as follows:
1. Project Management
2. Guidelines And Best Practices – Pre Assessment, Assessment And Post
Assessment
3. Assessment Methodology
4. Review Of Information Security Policy And Security Organization
5. Evaluation Of Risk Assessment Methodology
6. Technical Control Assessment

Technical Control Assessment - Methodology

Password Security

Password Cracking Strategies

Unix /Linux System Security Assessment

Windows System Security Assessment

Novell Netware Security Assessment

Database Security Assessment

Wireless Security Assessment

Switch Security Assessment

Router Security Assessment

Firewall Security Assessment

Intrusion Detection System Security Assessment

VPN Security Assessment

Anti-Virus System Security Assessment And Management Strategy

Web Application Security Assessment

Storage Area Network (San) Security

Internet User Security

As 400 Security

Source Code Auditing

Binary Auditing
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 3/9/2016 Page 13 of 17
Information Systems Security Assessment Framework (ISSAF) Draft 0.1
7. Social Engineering
8. Physical Security Assessment
9. Incident Analysis
10. Review Of Logging / Monitoring & Auditing Processes
11. Business Continuity Planning And Disaster Recovery
12. Security Awareness And Training
13. Outsourcing Security Concerns
14. Knowledge Base

Legal Aspects Of Security Assessment Projects

Non-Disclosure Agreement (NDA)

Security Assessment Contract

Request For Proposal Template

Desktop Security Check-List - Windows

Linux Security Check-List

Solaris Operating System Security Check-List

Default Ports - Firewall

Default Ports – IDS/IPS

Links

Penetration Testing Lab Design
1.4.2 Document Convention
Many places in this document we use following test case template:
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 3/9/2016 Page 14 of 17
Information Systems Security Assessment Framework (ISSAF) Draft 0.1
Heading of Topic
Introduction
(Description / purpose / requirement / terminology / history)
Objective
1 (SECURITY TExpected
ESTERResults
’S AND SYSTEM
ADMINISTRATOR’S PERSPECTIVE)
Methodology
(Structured steps that needs to be followed to complete test case)
Per Test / Technique
Description
Objective
Expected Result
Pre-requisite
Process (Steps to complete this task)
[Description]
[Example/Results]
[Countermeasure]
Example/Results of common testing tool(s)
Countermeasure(s)
Further Reading(s)
Contributor(s)
Global Comments
Global Countermeasure(s)
Contributor(s)
Further Reading(s)
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 3/9/2016 Page 15 of 17
Information Systems Security Assessment Framework (ISSAF) Draft 0.1
1.5 DISCLAIMER
While all possible precautions have been taken to ensure accuracy during the
development of the Information System Security Assessment Framework (ISSAF), also
referred to as ISSAF, the Open Information System Security Group (OISSG) assumes
no responsibility for any damages, errors or downtime resulting or caused by the use of
the information contained herein.
OISSG does not warrant or assume any legal liability or responsibility for the
completeness, usefulness, accuracy of the information presented in this document.
OISSG will not be responsible for any damage, malfunction, downtime, or other errors
that might result from the usage of this document.
1.6 LICENSING

We impose no restrictions to any individual/organization for practicing the ISSAF

Any individual/organization will be granted unlimited distribution of the ISSAF
provided the copyright is included in the document & the authors name[s] are
maintained in the document after the final release of ISSAF. This release is a draft
and to distribute it, one needs to take permission from OISSG.

We impose no restrictions to any individual/organization to develop products based
on it.

A written authorization is required from OISSG for any individual or organization that
provides training based on ISSAF and/or wants to use ISSAF material for
commercial training purposes

Generally tools developed for ISSAF assessment are released under GNU GPL
(http://www.opensource.org/licenses/gpl-license.html)

OISSG reserves the right to change the licensing policy at its own discretion.
Do reach us for more detail on our licensing at licensing@oissg.org
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 3/9/2016 Page 16 of 17
Information Systems Security Assessment Framework (ISSAF) Draft 0.1
© 2004, Balwant Rathore, Open Information Systems Security Group (www.oissg.org)
Date: 3/9/2016 Page 17 of 17