The ISSAF is not very active, but the guide they have provided is quite comprehensive. It aims to evaluate information security policy and an organization's compliance with IT industry standards, laws, and regulatory requirements. The current version of ISSAF is 0.2.
It covers the following stages:
- Project management
- Guidelines and best practices—pre-assessment, assessment, and post-assessment
- Assessment methodology
- Review of information security policy and security organization
- Evaluation of risk assessment methodology
- Technical control assessment
- Technical control assessment—methodology
- Password security
- Password cracking strategies
- Unix /Linux system security assessment
- Windows system security assessment
- Novell netware security assessment
- Database security assessment
- Wireless security assessment
- Switch security assessment
- Router security assessment
- Firewall security assessment
- Intrusion detection system security assessment
- VPN security assessment
- Anti-virus system security assessment and management strategy
- Web application security assessment
- Storage area network (SAN) security
- Internet user security
- As 400 security
- Source code auditing
- Binary auditing
- Social engineering
- Physical security assessment
- Incident analysis
- Review of logging/monitoring and auditing processes
- Business continuity planning and disaster recovery
- Security awareness and training
- Outsourcing security concerns
- Knowledge base
- Legal aspects of security assessment projects
- Non-disclosure agreement (NDA)
- Security assessment contract
- Request for Proposal Template
- Desktop security checklist—windows
- Linux security checklist
- Solaris operating system security checklist
- Default ports—firewall
- Default ports—IDS/IPS