System security analysis is performed by using passive and active analysis.
Passive security analysis
uses MSAT (Microsoft Security Assessment Tool) and similar tools in order to gain insight into system maturity and to execute system security assessment in relation to generally accepted standards. MSAT assessment consists of over 200 questions comprising infrastructure, applications, operations and people. Questions, related answers and recommendations are derived from generally accepted best practices and standards, such as ISO 17799 and NIST-800.x as well as from recommendations and prescribed guidelines by Microsoft and other external security sources.
Active security analysis
includes detailed analysis of internal network resources and different categories of computer vulnerability, from system and programme flaws to configuration failures caused by inexpert handling and configuration of equipment.
In addition to that, active security analysis is useful because it indicates differences between documented and real system condition. Determined defects are categorized according to their importance and their level of influence on business activity.
The service of creating security policies is a process of documenting internal rules and procedures for using company’s ICT system and it is based on the current condition given by the security analysis and the desired condition defined by company's business needs, its targets and security requirements.
Increased level of IT system security