This service provides a simple grading system to describe the current security infrastructure as it relates to an Open Text Content Server-based solution. This service does not provide an assessment of the security of the system, rather it provides a grade for the various aspects of a security program as it applies to a Content Server-based solution. The service examines the following:

Installation security

•  File system, system privileges
  • A = The evidence supports an approach that leads to a least privilege model
  • B = The evidence supports an approach that makes security trade offs that are known and understood by the client
  • C = The evidence supports an approach that generally leads to a less secure system than the client believes the case
  • D = The evidence supports an approach that is likely to lead to an insecure system
• System administration, authentication, authorization, and access
  • A = The evidence supports an approach that is likely to lead to a system where system administration can only be performed by authorized personnel.
  • B = The evidence supports an approach that is likely to lead to a system where at least some administrators have the ability to perform unauthorized tasks, bypass access control lists designed to restrict view of content, or otherwise technically override a defined security policy but the risks involved are known and fully understood by the client
  • C = The evidence supports an approach that is likely to lead to a system where at least some administrators have the ability to perform unauthorized tasks, bypass access control lists designed to restrict view of content, or otherwise technically override a defined security policy and the risks involved are not known or well understood by the client
  • D = The evidence supports an approach that is likely to lead to a system where unauthorized and unintended actions and bypassing of access control lists will occur
• Application administration, integration, authentication, authorization, and access
  • A = The evidence supports an approach that leads to an up-to-date, secure system where ALL application configuration, communication, installation, and maintenance are known and understood
  • B = The evidence supports an approach that leads to an up-to-date, relatively secure system where most application configurations, installations and maintenance are known and understood and there is reason to trust the discrepancies
  • C = The evidence supports an approach that extends trust to known entities and leads to an up-to-date, secure system provided that the trust is not misplaced
  • D = The evidence supports an approach that leads to a system that may fall behind on patches, have one or more unknown touch points with various applications that implicitly extend trust, provide unauthorized actions and bypass intended access control
• End User security
  • A = The evidence supports an approach that leads to a solution has adequately accounted for and mitigated the risks involved
  • B = The evidence supports an approach that leads to a solution that may not fully mitigate against the risks but the risks are well understood
  • C = The evidence supports an approach that leads to a solution that may not fully account or fully mitigate against the risks and a likelihood of a "minor" breach
  • D = The evidence supports an approach that leads to a solution that does not account for nor mitigate against some or all of the risks involved

This service is NOT a security assessment or audit

A proper security assessment or audit of any solution requires significant time and effort with an order of magnitude of $50,000 investment. It is a worthy service designed to fully flesh out all security risks, classify them, and offer mitigation techniques. It necessitates hundreds of hours of very detailed and focused effort. It is only after such a thorough review that a true assessment. This service should not be thought of as a replacement for such a detailed look, rather as a cost effective way of evaluating how security is handled by the client

Service Details

This service starts with a 1/2 hour virtual meeting whereby the client is provided with a questionnaire that describes the solution. All grading will be based upon the answers of this detailed questionnaire.

The consultant will spend up to 16 hours doing analysis and report generation. The report will be provided to the customer for review with a follow up final Question and Answer meeting to allow the client to fully appreciate the consultant report.

While this service will provide the reasoning for each "grade", it does NOT provide the client with any necessary or sufficient steps to mitigate though some guidance will generally be provided. Though all attempts will be made to gather and analyse all of the pertinent information, this service is intended as a low-cost, high-level review and therefore cannot offer guarantee. The service is intended to allow a qualified senior technical consultant the ability to offer an opinion on the security program around  a content server-based solution.

This service will be performed and/or supervised by Dave Kinchlea, recognized world-wide as an expert in Open Text ECM Architecture, Security and Performance.