Specifications include, but are not limited to: The focus of the network/data security audit should be applications, data, computer, network and communications systems vulnerabilities. However, the security assessment should also incidentally address such areas as physical security, system/data access, user access control, production controls, documentation and procedures, evaluation of best practices pertaining to cybersecurity, change management, disaster recovery, and recovery from a cyber-attack. The network/data security audit must include interviews with appropriate application, data, and system owners, as well as a technical study of each system’s security. For applications in scope, it would include data change authority and/or data vulnerabilities. For infrastructure systems in scope, it would include malicious change attempts and/or any type of disruptive attacks. The scope should include the following: Network Penetration Test – Evaluate the network perimeter and firewall from the perspective of an outside attacker with no inside knowledge of the network. Tests must not negatively impact network performance of end users within the district or personnel accessing resources from outside of our network.
