Technology Security Reviews

Here are some high-level topics covered by the reviews. Realize that these things are broken down into low-level detail (remote scanning, vulnerability testing, site visits, report writing,
etc) during reviews:

1. IT Inventory

IT assets include all computers, printers, PDA, or equipment owned by a VT department that connects to the VT network. The review will determine how well a department keeps track of its IT asset inventory.
Can a department provide a current listing of all IT assets in a timely fashion? If they cannot, the reviewer wonders if adequate inventory control measures are in place. Lax asset management is a computer and data security threat because the following question isn't answered
adequately: "How can one prevent data loss and compromise when one cannot account for IT assets?"

2. IT Management

Does a department have adequate IT support? Are industry best practices (patching, upgrades, backups, access controls, etc.) a part of the management plan? Do they provide enough funding for IT operations? These questions and others are examined to determine how well a department is managing its IT infrastructure.

3. IT Operations

How do departments operate on a day-to-day basis? What do IT practices look like "On the ground and in the trenches?" Here, the reviewer examines how IT theory/ideas/management policies are actually implemented and practiced daily. If the reviewer sees that management practices are actually implemented, then that's a good thing. Even if the idea/theory in practice isn't optimal, at least they have implemented something and are making an effort... other than just talking about ideas in meetings. Departments making an effort are trying to do what's right and are usually very open to suggestions to do things better.

Areas may request security reviews be done in a specific area by contacting Brad Tilley at: brad.tilley@vt.edu