3. The Background
With the pervasive dependance on IT by critical business functions, organizations would like
to benchmark their current levels of internal security controls against Global Best Practices of
Information Security within their domain.
we45, as a Subject Matter Expert organization on Enterprise Governance, Risk and
Compliance would conduct an Information Security Health Check(ISHC) on the
organization’s IT Infrastructure,Processes and levels of awareness from a security
perspective.
In the process, we45 would also assist and train the internal IT Security team at the
organization on concepts and the required Know-How(s) of global security best practices
thereby reducing the organization’s dependance on external “help” in the long-run.
This exercise will be vastly different from the traditional “audit” that organizations are
mostly used to and is largely comparable to a diagnostic medical health check.
4. The Proposed Road-Map
The entire ISHC is largely classified into the following three practice areas
Governance, Risk and Process Controls
Technical Security Controls
Security Awareness (Knowledge and Capability)
5. Risk Assessment
we45 will perform Risk Assessment for the Organization to
identify and prioritize Security Risks by impact for the
Organization. The Risk Assessment consists of the following
activities
Identifying Critical Information Assets and their Containers
Preparing Threat Profiles and Models to Identify Security
Threats (multiple categories and scenarios) against the
organization.
Performing Vulnerability Assessments (for Technical
Vulnerabilities) and identifying other organizational
vulnerabilities as part of the ISHC
Preparing an Integrated ISHC Report with Risk Metrics and
Information
we45 utilizes some of the world’s
best Risk Assessment methodologies
including:
OCTAVE
ISO-31000 Principles
ISO-27005
NIST SP-800-30
FRAP
6. The Diagnosis in a Nutshell
The Diagnosis
Understand organizational IT business goals
Evaluate and analyze associated IT security risks
Benchmarking Organization against Industry Best
Practices and similar organizations.
Assessment Techniques includes:
Diagnostic Tests
Stakeholder interviews and discussions
Social Engineering Validations
Physical Observation & Verification
The Report
ISHC Assessment Report
Information Security Benchmarking
Domain-wise Traffic Indicators
List of controls-to-be-implemented
Indications on (applicable)
compliance levels.
7. Process- Level (Operations) Controls
An overall check on the Process and Operations level controls implemented at the
organization from an Information Security perspective
we45 would completely understand the broad business and service lines at the organization
and its corresponding dependance on Information Technology
we45 would then design and compile a comprehensive set of organizational risk based
controls (derived from Global Best Practices in the respective domain).
The compiled controls would then be evaluated and ranked against the existing
implemented controls at the organization.
The resultant differential (Gaps) to be ranked as per criticality and the feasibility of
implementing them at the organization to be evaluated through discussions with the key
stakeholders.
8. Technology Controls
A comprehensive and a “Real Time” check on the technical security controls in place at the
organization.
we45 would run diagnostic tests on a representative sample of the critical IT infrastructure
components
The above exercise would NOT be a fault finding exercise but would rather be considered
an opportunity to present and appreciate certain technical improvements that is
implemented by organizations in similar businesses.
The Proof of Concepts (above) would also help the senior management to appreciate and
understand the possible areas of concerns from an overall IT Risk and Governance
perspective and accordingly focus efforts.
9. Vulnerability Assessment
A Structured, Comprehensive and
Repeatable Methodology that we45
follows for Vulnerability (Technical
Security) Assessments
Unique Hybrid Methodology consisting of
automated and manual security testing for
best results and highest RoI
Proven Methodology derived from the
world’s best including PTES, OSSTMM,
OWASP and SANS.
10. Technical Competence -
Tools and Technologies
We utilize over 100 tools and techniques to perform detailed and comprehensive Vulnerability Assessments.
Some of them include:
Tools from Tenable Network Security
Rapid7 Tools - Both Vulnerability Assessment and Exploitation
Web Vulnerability Scanners, Fuzzers and Proxies including Burp, ZAP and Commercial Web Application Testing Suites
Nipper and Titania Suites for Network Security Assessments
among others...
In addition, we have developed several in-house tools and scripts to perform a more detailed Vulnerability Assessment
including:
json-fuzzer for modern Web Applications
ERP Scanning tools for SAP and Oracle Security Assessments
Advanced Web scraping and spidering tools
11. Knowledge Accentuation
As indicated earlier the entire assessment is aimed at equipping the internal team at the
organization with the appropriate training and knowledge transfer on the security best
practices that would eventually reduce their dependence on external vendors in due course
of time
Through interviews and discussions with the IT Stakeholders we45 would determine and
review the existing levels of IT Security awareness at the organization.
In addition we45 would also launch “harmless”, yet effective Social Engineering attacks
aimed at specific sections of the internal IT community to gauge the real time practical
applications of theoretical knowledge/awareness.
12. The Traffic Lights
At the end of the above mentioned activities the senior management at the organization
would be presented with an Information Security Maturity dashboard with health indicators.
The dashboard (categorized according to domains) would give a good indication on where
the organization currently stands on various aspects of Governance, Risk and Compliance
as compared to Global Industry Standards
This would also help the management take calculated and informed decisions on future
efforts on areas that need more focus
This could also be a good tool for the “Measurement of Effective Controls” as per global
compliance standards like the ISO 27001
13. The Deliverables
An exhaustive list (line items) of ideally applicable controls at the organization.
A Security Assessment Report based on tests conducted on the IT Infrastructure at the
organization.
A Information Security Maturity dashboard with visual indicators on health levels across
process areas.
A detailed and comprehensive roadmap towards the implementation of the found gaps in
the scoped domains of the ISHC.