IDBI Intech - Information security consulting


Published on

Information Security Consulting

Published in: Business, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

IDBI Intech - Information security consulting

  1. 1. Information Security ConsultingOur Corporate OfficeIDBI Intech Limited, IDBI Building, Ground Floor, Plot No 39-41, Sector 11,CBD Belapur, Navi Mumbai 400614, IndiaWebsite: | Tel No: +9122 – 3914 8000 | Fax No: 9122 – 2756 6313
  2. 2. Table of Content Title Page No.IDBI Intech Ltd 3Information Security Consulting 6Selective Experience & Clientele 13Information Security Consulting - 16Team CredentialsThe Next Step 17 2|Page
  3. 3. IDBI INTECH LIMITEDIDBI Intech Limited is a professionally managed IDBI Group Company providing IT related services toBanking, Financial Services, and Insurance Clients. Our mission is to deliver optimal IT services andinnovative solutions by leveraging technology with intellectual capital, to accomplish customer delight.Our operating philosophies are as below -  We strive harder to create an environment of value and trust for our prospective and existing clients.  Our clients’ success is our success. We do our best to ensure our clients triumph in all their endeavors. Our service should and will have a direct, positive impact to our clients’ top line and bottom line.  We see our future in servicing our clients over a long term.IDBI Group of Companies is a resourceful business unit in India. IDBI Intech Limited is backed by theIDBI Group. Our foundation of stability comes from the strategic support offered by the IDBI Group ofcompanies. This kind of support allows us to concentrate on new investments to scale up our capabilities,and to remain focused on the long term relationship management and support for our clients. 3|Page
  4. 4. OUR CLIENTSCERT-IN EMPANELMENTIDBI Intech has successfully been empanelled as a Certified IT Security Auditing Organisation with theIndian Computer Emergency Response Team (CERT-In), after passing through a rigorous selectionprocess. We are now among the handful of organisations currently empanelled with CERT-In.The CERT-In operates under the auspices of, and with authority delegated by, the Department ofInformation Technology, Ministry of Communications & Information Technology, and Government ofIndia. The complete list of Empanelled IT Security Auditing Organisations is available on CERT-Inwebsite at: QUALITY FOCUSStringent quality assurance and quality control processes are followed through a comprehensive systemof internal audits. Our participatory approach for process improvements requires cross-functional teamsto work on specific processes to enhance effectiveness. Intech is an ISO 9001:2008 Certifiedorganisation. 4|Page
  5. 5. SERVICESWe offer a spectrum of Solutions and Services to BFSI Sector. Our software solutions and IT servicesdelivery processes are designed and fine-tuned to meet the clients diverse requirements. Knowledgemanagement tools support our quality processes.Our service offerings are:  Comprehensive IT Consulting o Consultancy in IT services like CBS integration, RTGS/NEFT/NDS etc. o Core banking System integration, and customization o Document management o Independent testing services o Website development and maintenance o Data Centre establishment on the Build Operate & Transfer Model  Information Security Consulting o IT Governance  Preparation of IT security policy  Implementation of IT security policy o Information Security Awareness Training program o IS Audits o Application Assurance o Network Audit o Penetration testing o Vulnerability Assessment  Corporate Learning & Development o Banking related specialized training programs o Core banking programs o System and procedures related programs  Business Process Outsourcing o Centralization of processes o Process Standardization o Call center o Image based workflow solution implementation 5|Page
  6. 6. INFORMATION SECURITY CONSULTINGInformation is at the heart of today’s business, and the all-pervasive impact of Information Technology inharnessing, collating and processing huge volumes of information is definitive. In this scenario, the needfor ensuring that information is kept confidential, adhering to accepted norms of privacy and making itavailable to authorized users at the appropriate time assumes greater significance. This is particularlyvalid for the banking sector where day-to-day operations are centered on information and informationprocessing, which in turn is highly dependent on Technology.Regulators across the world have asked Banking and Financial Services Industry (BFSI) for putting inplace the guidelines on Information Security and made compliance to it mandatory. Growing level ofcomputerization in BFSI, complexities of emerging technologies, networking, delivery channels such asInternet Banking, Mobile banking, Call centers, ATMs, Phone banking, Kiosks etc necessitate proper ISsecurity and controls in place.We offer the following services under Information Security practices:  Managed Security Services (MSS)  Information Systems Audit o IS Security Audit o Core Banking Solution Audit o Data Center Audit o Network Audit including Vulnerability Assessment and Penetration Testing o Disaster Recovery Management & Business Continuity Planning o ISO 27001:2005 Compliance Consulting o Efficiency / Resource Utilization Review o Database Audit  Implementation Reviews o Review of ITIL Best Practices o Review of ERP Implementation, Security Policy Implementation & Controls Review o Data Migration Audits o IT Risk Assessment o Gap Analysis o Documentation Guidance o IT Integration o Data Migration Tools 6|Page
  7. 7. o Product Selection Advice - Software or Hardware o Network Design o Security Policy Development & Guidance for Implementation o Information Security EducationFollowing sections offer additional details on a selective list of the Information Security Consultingservices.MANAGED SECURITY SERVICESIDBI Intech Limited has its own Security Operation Center (SOC) in Pune, India based on Arc Sight SIEMplatform with following features:  24 hours, 365 days service support  Real time detection, alert & response  Attack correlation for logs from multiple sources  Multiple alert mechanisms  Multi-vendor and platform support  Support for large number of devices  Smart bandwidth utilization  Intelligent event capture  Incident Management  Risk based prioritization  Security Dashboard for online reports  250+ predefined report templates  Rich visualization 7|Page
  8. 8. We offer following range of services under the umbrella of Managed Security Services (MSS). Clientscan select the services based on their requirements. Managed Security Services Onsite Anti- Security Anti-Virus & Security Device Consulting Phishing Advisory Content Filtering Management Secure Technical Risk Information Security Configuration Assessment Security Risk Events & Log Document Management Monitoring Vulnerability Assessment Asset Based Risk Assessment Penetration Testing Application Security Physical & Testing Environmental Review Network Security Architecture Review 8|Page
  9. 9. Anti-PhishingThe service can monitor your domain and can detect the phishing website anywhere in the world. We cantake down the phishing website with the help of our partner. We also provide support in implementingpreventive measures. The service is divided into five phases  Web Server & Mail  Evaluation  Location Log Monitoring  Statistical Analysis Identification  Digital Watermark  Notification  Co-ordination with  Spam Trap ISP’s  User Reporting  Site Bringdown Site Detection 1 Alerting 2 Site Takedown 3  Take down site  User Awareness monitoring  Server Hardening  Phishing site monitoring Monitoring 4 Preventive Measures 5 9|Page
  10. 10. Security Device ManagementWe manage security components of the clients IT infrastructure from onsite/offsite location. Thecomponents include firewall, IPS/IDS, Proxy, UTM, patch management, etc. - Rule base management - Signature updates - Block/unblock URL’s - User Management - Global threat signatures - Web Content Filtering - Rule base Optimization - Rule management - Version Upgrades - Version Upgrades - Rule Optimization - Version Upgrades Firewalls IDS/ISP URL Filter Fault, Configuration, Performance, Policy, Change, Capacity, Availability Device Acquisition Device Device Upgrade CommissioningSecurity Events & log MonitoringWe perform log monitoring with the help of a leading SIEM product “Arcsight”. Arcsight has beendesigned with the needs of highly complex, geographically dispersed, and heterogeneous business andtechnology infrastructures in mind. The service will be provided in the onsite/offsite location based onclient requirement. 10 | P a g e
  11. 11. Technical Risk AssessmentWe offer following technical risk assessment of IT infrastructure  Vulnerability Assessment  Penetration Testing: o External PT o Internal PT  Application Security Testing  Network Security Architecture ReviewAnti-Virus & Content filteringOur team will manage & monitor Anti-virus & content-filtering infrastructure. It will include desktopantivirus servers, gateway level AV, content filtering devices.IS Risk AssessmentOur team will perform the IS risk assessment which covers review of various processes/activities.  Asset based Risk Assessment: We will carry out the asset based risk assessment as per the ISO 27001 standard requirements.  Physical & Environmental Review: Our team will review the existing physical & environmental controls in the secure areas like Datacenter.Onsite ConsultingBased on the client’s requirements, our consultant visits the client location. The report will be submittedalong with the necessary guidance.Secure Configuration DocumentWe prepare secure configuring documents for all the operating systems, databases, IT applications likemail server, Web server, etc.Security AdvisoryWe will be sending regular advisories & updates released by vendors as and when issued by them. 11 | P a g e
  12. 12. IT GOVERNANCE  Regulatory compliance requirements  Aligning IT strategy with Business strategy  Board participation in monitoring IT  Role and responsibilities of Management and Employees  Value derived from IT initiatives  Role of CIO and CISOCONSULTANCY FOR IMPLEMENTATION OF GOVERNANCE AND COMPLIANCEFRAMEWORKS:  ISO 2700I is an international framework for Information Security implementation by various organizations. Our certified professionals shall guide the organization in implementation process and also to get the certification.  COBIT will provide the management and business process owners with an information technology (IT) governance model that helps in delivering value from IT and understanding and managing the risks associated with IT. COBIT helps to bridge the gaps amongst business requirements, control needs and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems.  DSCI Security & Privacy Framework: It is developed by data security council of India & floated by NASSCOM. Our certified professionals shall guide the organization in implementation process.INFORMATION SECURITY AUDIT:  Review of Information Security policy and procedures which covers; reviewing policies & procedures, access control, data migration, data base maintenance, Archiving & backups, Disaster recovery, Network security, Data security, risk assessment in new products/process and activities, email security, application security, Operating system & Website security, Antivirus & piracy, incident/problem management, change management, digital signature implementation etc.  IT general controls: Version control, access control, backups, change management etc.  Network audit: Network topology, network availability, net work security, inventory of all routers and switches, security of physical location, configuration, memory utilization, CPU utilization, Traffic volume, special redundancy measures, number of dropped packets, identification and location of all firewalls and respective topologies etc  Vulnerability Assessment and Penetration testing: 12 | P a g e
  13. 13. o External penetration testing and vulnerability assessment o Internal penetration testing and vulnerability assessment o Physical access controls to Data center and other work sites o Social engineering testing o Wireless technology background o Web application  Application assurance o Provide stakeholders with an assessment of the effectiveness of the application’s internal controls and security. o Identify internal control deficiencies within the customer organization and its interface with the service provider. o Provide audit stakeholders with an assessment of the quality of and their ability to rely upon the service provider’s attestations regarding internal controls.  Compliance management- Regulatory compliances, internal compliance to policies, incident management, Business continuity Plan, quarterly escalation and reporting of critical failures etc.SELECTIVE EXPERIENCE AND CLIENTELEDATA MIGRATION A UDIT FOR CENTRAL BANK OF INDIAIDBI Intech recently conducted the Data Migration Audit for Central Bank of India for various Brancheswhen Central Bank of India initiated a massive process of Migration to B@ncs24 CBS. We performed100% verification of Data using the ACL tool.MIGRATION AUDIT OF THE UNION BANK OF INDIAIDBI Intech has recently conducted the Migration audit for various branches of Union Bank of India formigration from ALPM system to Finacle. We made use of ACL tool for conducting the Migration audit andwe also checked the migration from manual systems to Finacle.DATA MIGRATION A UDIT OF PUNJAB AND MAHARASHTRA CO-OPERATIVE BANK LTD.IDBI Intech conducted two Data Migration Audit Assignments for Punjab and Maharashtra Co-operativeBank Ltd.The Audit assignment was conducted in April 2010 for the erstwhile Jai Shivrai Nagari Sahakari BankLtd., which was acquired by the Punjab and Maharashtra Co-operative Bank Ltd.The similar Audit assignment was also conducted in May 2009 for the erstwhile Kolhapur JanataSahakari Bank Ltd, which was acquired by the Punjab and Maharashtra Co-operative Bank Ltd. 13 | P a g e
  14. 14. The Migration Audit exercise was conducted electronically using the ACL tool covering 100% verificationof Data.DATA MIGRATION AUDIT FOR DENA BANK  To conduct data migration validations for 253 numbers of branches this will be converted to the new CBS platform. Data Migration validation is done to ensure and validate that data as extracted from the legacy system in the format as required by the new core banking solution has been accurately and completely migrated / uploaded to the new core banking solution environment  Review the data migration strategy document; perform a walkthrough of the data migration process at the data centre and branches.WEBSITE SECURITY REVIEW FOR SBI GENERAL INSURANCEIDBI Intech has recently conducted Security Audit of the website of SBI General Insurance as per theCert-In guidelines. The Audit Assignment covered broadly the following areas:  Penetration Testing  Vulnerability Assessment of web server  Application TestingNETWORK & SECURITY REVIEW OF THE CMS CONNECTIVITY FOR IDBI FEDERALWe conducted a Network & security review of the CMS connectivity for IDBI Federal. We have mappedindustry best practices with IDBI Federal current processes.  Identification of OS, application versions wherever applicable  Test for presence of default ports and services on the devices  Identification of security risks/threats associated with the open port and the service running on it  Identification of vulnerabilities related to the devices that could be due to incorrect configuration  Identification of known threats associated with those versions.  Penetration Testing  Vulnerability Assessment  Network Architecture ReviewCOMPREHENSIVE IS AUDIT FOR LIC MUTUAL FUNDIDBI Intech has conducted comprehensive audit of systems and processes inter alia related toexamination of integration of front office system with the back office system, fund accounting system forcalculation of net asset values, financial accounting and reporting system for the AMC, Unit-holderadministration and servicing systems for customer service, funds flow process, system processes formeeting regulatory requirements, prudential investment limits and access rights to systems interface. TheAudit also included 14 | P a g e
  15. 15.  Vulnerability Assessment  Penetration Testing  Application security review  Network Architecture Review  IT General Controls ReviewThe Audit has been conducted as a part of Statutory Compliance with SEBI Regulations.IT GOVERNANCE CONSULTANCY AND COMPREHENSIVE IS AUDIT FOR THE STOCKHOLDING CORPORATION OF INDIA LTD (SHCIL)SHCIL is the largest Depository Participant in the country. We provided consultancy service to SHCIL inrespect of IT Governance Consultancy and we are also in the process of developing the IS & IT policyand procedures and conducting a comprehensive Information System Audit.  IT Governance Consultancy: We assisted SHCIL in implementing general IT Governance. We also designed reforms in the present IT organisation structure, designed roles and responsibilities of key IT personnel, devised growth plans, promotion policies, Talent retention measures, Performance incentives, Salary restructuring, Training and development for the IT resources . We also gave valuable suggestions in the areas of Security policies, Business continuity planning, IT Risk management, Incident management system etc.  Designing and Implementing IS &IT Policy and Procedures comprehensive IS Audit: We conducted a Consultancy Assignment of designing and Implementing policies and procedures for SHCIL. We have mapped industry best practices with SHCIL’s current processes for the same and have designed and implemented the Policies.  Consultancy in IS & IT Policy Implementation including designing of IS & IT Procedures.  Comprehensive IS Audit being conducted at SHCIL include IT General Controls review audit, IT Infrastructure review and Application Assurance. Application Assurance Audit performed by us included review of business processes like Stock broking, Depository Participant service, Custodial Services. The applications we reviewed also included Human Resource, Payroll application and Provident Fund and Pension software used for NTPC etc. 15 | P a g e
  16. 16. INFORMATION SECURITY CONSULTING - TEAM CREDENTIALSIDBI Intech Limited handpicks experts from the industry. Our selection process ensures only the best inthe class Knowledge Associates join the organization. Our associates support our clients at various rolesincluding Auditors, Information Security Consultants, CISOs, and CTOs. Certification No. Certified Information Security Auditor (CISA) 16 Certified in Risk and Information Systems Control (CRISC) 2 Certified in the Governance of Enterprise IT (CGEIT) 2 Certified Ethical Hacker (CEH) 5 Certified Vulnerability Assessor (CVA) 1 EC-Council Certified Security Analyst (EC-CSA) 1 ISO 27001Lead Implementer/ Auditor 7 16 | P a g e
  17. 17. BS25999 Lead Auditor 1 Managed Security Services Professional 11 IT Professional 900+We have a team of talented young professionals possessing expertise in technical, functional & bankingdomains. The team members come from various educational backgrounds like Chartered Accountants,software Computer Engineers, MBA’s and senior bankers. Our team consists of certified ISO/IEC27001:2005 Information Security Management system Lead Auditors, BS25999 LA, CISA, CGEIT,CRISC, EC-CSA, CVA, CEH, CCNA, MSCE etc.The team members possess a wide experience including Vulnerability Assessment, Penetration Testing,Application Security testing, Network Architecture reviews. The team is led by experienced seniorbankers. Our techno functional expertise along with IS audit knowledge & experience would ensurequality and effective services.THE NEXT STEPIDBI Intech Limited has incredible experience in the Information Security Consulting space. We have therequired capabilities to assess your compliance levels and offer value-added consulting services toaddress the gaps.We take it as our core mandate to offer you a true, world-class service at a highly competitive price. Westrive to deploy the best resources, who’re highly qualified in their business, and who can make a positiveimpact in the engagement.We assure you of our best services at all times. W e are looking forward for a long-lasting and mutuallybeneficial relationship. 17 | P a g e