we45 information security healthcheck (ishc)
TRANSCRIPT
Information Security Health Check (ISHC)
Contents
Background
ISHC Roadmap
Diagnosis Snapshot
Deliverables
The Background
With the pervasive dependance on IT by critical business functions, organizations would like to benchmark their current levels of internal security controls against Global Best Practices of Information Security within their domain.
we45, as a Subject Matter Expert organization on Enterprise Governance, Risk and Compliance would conduct an Information Security Health Check(ISHC) on the organization’s IT Infrastructure,Processes and levels of awareness from a security perspective.
In the process, we45 would also assist and train the internal IT Security team at the organization on concepts and the required Know-How(s) of global security best practices thereby reducing the organization’s dependance on external “help” in the long-run.
This exercise will be vastly different from the traditional “audit” that organizations are mostly used to and is largely comparable to a diagnostic medical health check.
The Proposed Road-Map
The entire ISHC is largely classified into the following three practice areas
Governance, Risk and Process Controls
Technical Security Controls
Security Awareness (Knowledge and Capability)
Risk Assessment
we45 will perform Risk Assessment for the Organization to identify and prioritize Security Risks by impact for the Organization. The Risk Assessment consists of the following activities
Identifying Critical Information Assets and their Containers
Preparing Threat Profiles and Models to Identify Security Threats (multiple categories and scenarios) against the organization.
Performing Vulnerability Assessments (for Technical Vulnerabilities) and identifying other organizational vulnerabilities as part of the ISHC
Preparing an Integrated ISHC Report with Risk Metrics and Information
we45 utilizes some of the world’s best Risk Assessment methodologies including:
OCTAVE
ISO-31000 Principles
ISO-27005
NIST SP-800-30
FRAP
The Diagnosis in a Nutshell
The Diagnosis
Understand organizational IT business goals
Evaluate and analyze associated IT security risks
Benchmarking Organization against Industry Best Practices and similar organizations.
Assessment Techniques includes:Diagnostic TestsStakeholder interviews and discussionsSocial Engineering Validations Physical Observation & Verification
The Report
ISHC Assessment Report
Information Security Benchmarking
Domain-wise Traffic Indicators
List of controls-to-be-implemented
Indications on (applicable)
compliance levels.
Process- Level (Operations) Controls
An overall check on the Process and Operations level controls implemented at the organization from an Information Security perspective
we45 would completely understand the broad business and service lines at the organization and its corresponding dependance on Information Technology
we45 would then design and compile a comprehensive set of organizational risk based controls (derived from Global Best Practices in the respective domain).
The compiled controls would then be evaluated and ranked against the existing implemented controls at the organization.
The resultant differential (Gaps) to be ranked as per criticality and the feasibility of implementing them at the organization to be evaluated through discussions with the key stakeholders.
Technology Controls
A comprehensive and a “Real Time” check on the technical security controls in place at the organization.
we45 would run diagnostic tests on a representative sample of the critical IT infrastructure components
The above exercise would NOT be a fault finding exercise but would rather be considered an opportunity to present and appreciate certain technical improvements that is implemented by organizations in similar businesses.
The Proof of Concepts (above) would also help the senior management to appreciate and understand the possible areas of concerns from an overall IT Risk and Governance perspective and accordingly focus efforts.
Vulnerability Assessment
A Structured, Comprehensive and Repeatable Methodology that we45 follows for Vulnerability (Technical Security) Assessments
Unique Hybrid Methodology consisting of automated and manual security testing for best results and highest RoI
Proven Methodology derived from the world’s best including PTES, OSSTMM, OWASP and SANS.
Technical Competence - Tools and Technologies
We utilize over 100 tools and techniques to perform detailed and comprehensive Vulnerability Assessments.
Some of them include:
Tools from Tenable Network Security
Rapid7 Tools - Both Vulnerability Assessment and Exploitation
Web Vulnerability Scanners, Fuzzers and Proxies including Burp, ZAP and Commercial Web Application Testing Suites
Nipper and Titania Suites for Network Security Assessments
among others...
In addition, we have developed several in-house tools and scripts to perform a more detailed Vulnerability Assessment including:
json-fuzzer for modern Web Applications
ERP Scanning tools for SAP and Oracle Security Assessments
Advanced Web scraping and spidering tools
Knowledge Accentuation
As indicated earlier the entire assessment is aimed at equipping the internal team at the organization with the appropriate training and knowledge transfer on the security best practices that would eventually reduce their dependence on external vendors in due course of time
Through interviews and discussions with the IT Stakeholders we45 would determine and review the existing levels of IT Security awareness at the organization.
In addition we45 would also launch “harmless”, yet effective Social Engineering attacks aimed at specific sections of the internal IT community to gauge the real time practical applications of theoretical knowledge/awareness.
The Traffic Lights
At the end of the above mentioned activities the senior management at the organization would be presented with an Information Security Maturity dashboard with health indicators.
The dashboard (categorized according to domains) would give a good indication on where the organization currently stands on various aspects of Governance, Risk and Compliance as compared to Global Industry Standards
This would also help the management take calculated and informed decisions on future efforts on areas that need more focus
This could also be a good tool for the “Measurement of Effective Controls” as per global compliance standards like the ISO 27001
The Deliverables
An exhaustive list (line items) of ideally applicable controls at the organization.
A Security Assessment Report based on tests conducted on the IT Infrastructure at the organization.
A Information Security Maturity dashboard with visual indicators on health levels across process areas.
A detailed and comprehensive roadmap towards the implementation of the found gaps in the scoped domains of the ISHC.
Thank You