Information Security Health Check (ISHC)

Contents

Background

ISHC Roadmap

Diagnosis Snapshot

Deliverables

The Background

With the pervasive dependance on IT by critical business functions, organizations would like to benchmark their current levels of internal security controls against Global Best Practices of Information Security within their domain.

we45, as a Subject Matter Expert organization on Enterprise Governance, Risk and Compliance would conduct an Information Security Health Check(ISHC) on the organization’s IT Infrastructure,Processes and levels of awareness from a security perspective.

In the process, we45 would also assist and train the internal IT Security team at the organization on concepts and the required Know-How(s) of global security best practices thereby reducing the organization’s dependance on external “help” in the long-run.

This exercise will be vastly different from the traditional “audit” that organizations are mostly used to and is largely comparable to a diagnostic medical health check.

The Proposed Road-Map

The entire ISHC is largely classified into the following three practice areas

Governance, Risk and Process Controls

Technical Security Controls

Security Awareness (Knowledge and Capability)

Risk Assessment

we45 will perform Risk Assessment for the Organization to identify and prioritize Security Risks by impact for the Organization. The Risk Assessment consists of the following activities

Identifying Critical Information Assets and their Containers

Preparing Threat Profiles and Models to Identify Security Threats (multiple categories and scenarios) against the organization.

Performing Vulnerability Assessments (for Technical Vulnerabilities) and identifying other organizational vulnerabilities as part of the ISHC

Preparing an Integrated ISHC Report with Risk Metrics and Information

we45 utilizes some of the world’s best Risk Assessment methodologies including:

OCTAVE

ISO-31000 Principles

ISO-27005

NIST SP-800-30

FRAP

The Diagnosis in a Nutshell

The Diagnosis

Understand organizational IT business goals

Evaluate and analyze associated IT security risks

Benchmarking Organization against Industry Best Practices and similar organizations.

Assessment Techniques includes:Diagnostic TestsStakeholder interviews and discussionsSocial Engineering Validations Physical Observation & Verification

The Report

ISHC Assessment Report

Information Security Benchmarking

Domain-wise Traffic Indicators

List of controls-to-be-implemented

Indications on (applicable)

compliance levels.

Process- Level (Operations) Controls

An overall check on the Process and Operations level controls implemented at the organization from an Information Security perspective

we45 would completely understand the broad business and service lines at the organization and its corresponding dependance on Information Technology

we45 would then design and compile a comprehensive set of organizational risk based controls (derived from Global Best Practices in the respective domain).

The compiled controls would then be evaluated and ranked against the existing implemented controls at the organization.

The resultant differential (Gaps) to be ranked as per criticality and the feasibility of implementing them at the organization to be evaluated through discussions with the key stakeholders.

Technology Controls

A comprehensive and a “Real Time” check on the technical security controls in place at the organization.

we45 would run diagnostic tests on a representative sample of the critical IT infrastructure components

The above exercise would NOT be a fault finding exercise but would rather be considered an opportunity to present and appreciate certain technical improvements that is implemented by organizations in similar businesses.

The Proof of Concepts (above) would also help the senior management to appreciate and understand the possible areas of concerns from an overall IT Risk and Governance perspective and accordingly focus efforts.

Vulnerability Assessment

A Structured, Comprehensive and Repeatable Methodology that we45 follows for Vulnerability (Technical Security) Assessments

Unique Hybrid Methodology consisting of automated and manual security testing for best results and highest RoI

Proven Methodology derived from the world’s best including PTES, OSSTMM, OWASP and SANS.

Technical Competence - Tools and Technologies

We utilize over 100 tools and techniques to perform detailed and comprehensive Vulnerability Assessments.

Some of them include:

Tools from Tenable Network Security

Rapid7 Tools - Both Vulnerability Assessment and Exploitation

Web Vulnerability Scanners, Fuzzers and Proxies including Burp, ZAP and Commercial Web Application Testing Suites

Nipper and Titania Suites for Network Security Assessments

among others...

In addition, we have developed several in-house tools and scripts to perform a more detailed Vulnerability Assessment including:

json-fuzzer for modern Web Applications

ERP Scanning tools for SAP and Oracle Security Assessments

Advanced Web scraping and spidering tools

Knowledge Accentuation

As indicated earlier the entire assessment is aimed at equipping the internal team at the organization with the appropriate training and knowledge transfer on the security best practices that would eventually reduce their dependence on external vendors in due course of time

Through interviews and discussions with the IT Stakeholders we45 would determine and review the existing levels of IT Security awareness at the organization.

In addition we45 would also launch “harmless”, yet effective Social Engineering attacks aimed at specific sections of the internal IT community to gauge the real time practical applications of theoretical knowledge/awareness.

The Traffic Lights

At the end of the above mentioned activities the senior management at the organization would be presented with an Information Security Maturity dashboard with health indicators.

The dashboard (categorized according to domains) would give a good indication on where the organization currently stands on various aspects of Governance, Risk and Compliance as compared to Global Industry Standards

This would also help the management take calculated and informed decisions on future efforts on areas that need more focus

This could also be a good tool for the “Measurement of Effective Controls” as per global compliance standards like the ISO 27001

The Deliverables

An exhaustive list (line items) of ideally applicable controls at the organization.

A Security Assessment Report based on tests conducted on the IT Infrastructure at the organization.

A Information Security Maturity dashboard with visual indicators on health levels across process areas.

A detailed and comprehensive roadmap towards the implementation of the found gaps in the scoped domains of the ISHC.

Thank You