The IPA process involves conversations about many different mechanisms of addressing and controlling risk. Depending on the situation, certain control areas may get more scrutiny, and others may get less. Typically, these are the control areas covered in a completed IPA report:

System Security
  • Anti-malware
  • Inventory
  • Logging and monitoring
  • Password requirements
  • Patching
  • Standard images and builds
Application Security
  • Account management
  • Logging and monitoring
  • Password requirements
  • Patching
  • Penetration testing
  • Secure development practices
Physical Security
  • Access Control system
  • Camera coverage
  • Exterior
  • Interior
  • Monitoring / security guards
Management & Personnel Security
  • Badging
  • Contracting practices
  • Hiring practices
  • Standards and policies (acceptable use, cryptography, password, etc.)
Networking
  • Firewalls & Intrusion detection
  • Remote access (employee, client/customer, partner)
  • Wireless networks
Business Continuity & Disaster Recovery
  • Backups
  • Environmental controls
  • Fire detection and suppression
  • Network connectivity
  • Power generation and backup
Information Classification & Protection
  • Portable devices
  • Paper
  • Other media (film, CDs, etc.)

Go back to the IPA overview >>>