Security Assessment Objectives

2.1 Assessment Objectives

The penetration test results are evaluated in light of the following business risk issues to assist the customer in prioritizing the recommended mitigation steps that should be followed:

  • Financial – Assess the level of risk the organization is prepared to absorb in remediation, as a potential financial loss.
  • Reputation – Quantify or estimate the loss of reputation derived from the application being misused or successfully attacked.
  • Identity – Does the application protect user identity from abuse? Are there adequate controls in place to ensure evidence of identity?
  • Privacy and Regulatory – To what extent will the application have to protect user data? Extra attention required in medical applications.
  • Availability Guarantees – Is the application required to be available per a Service Level Agreement
  • (SLA) or similar guarantee? To what level will the application must be available? High availability techniques are significantly more expensive, so applying the correct controls up front will save a great deal of time, resources, and money