G-Cloud Definition of Services Security Penetration Testing

Transcription

1 G-Cloud Definition of Services Security Penetration Testing Commercial in Confidence

2 G-Cloud Services An Overview Inner Security is a leading CREST registered information security services provider. We are renowned for our excellence in the penetration testing of critical government and large corporate systems. As well as providing the probability and impact of exploitation in reports, Inner Security provides a business impact. Inner Security issues this additional information due to vulnerabilities and threats being at a different risk levels dependent on the business function of our clients. Penetration testing is at the core of our business. However, this strong technical capability and our experience in risk mitigation has enabled us to offer a broad range of complementary services. These provide great business value to our clients. Our credibility is demonstrated by our sector accreditations and by our track record in delivering business value to our prestigious blue chip client base. These include both FTSE 100 and FTSE 250 companies. Our clients are from a diverse range of business sectors including government, finance, retail, information technology and telecommunications. We do not employ a sales force. Our business is built upon our strong reputation within the industry and the development of long term relationships with our clients, based upon mutual trust and respect Information Assurance Inner Security is a CREST registered company and are accredited to work at Impact Level 3 Tender and Scope Procedures Inner Security work to a detailed and thorough tender and scoping procedure, the details are found within the document named below (this can be found in the C-Cloud catalogue). The Inner Security Pre-scope Questionnaire and Scoping Template will be issued at the point of tender: Inner Security Tender and Scope Procedure IS-GC3-08 All reporting will be in accordance with the Inner Security Report Template. This is designed to provide a high level Executive Summary, as well as a detailed technical report. Our reports highlight the Business Impact that vulnerabilities may have on your organisation. A template of this report is available on request.

3 Pricing The day rates charged by Inner Security can be found in the table below as well as in the document Inner Security SFIA Rate Card IS-GC3-09 : Our Services Inner Security will be offering services as part of Lot 4 through the Government s G-Cloud services. Penetration testing helps to safeguard your organisation from malicious intent. The business benefits include: i) Avoiding cost of network downtime Recovering from a security breach can be extremely expensive due to IT remediation, reduced employee productivity and lost revenue. Penetration testing identifies and addresses risks before security breaches occur. Preserve corporate image A single incident that compromises customer data can be costly. Penetration testing helps to avoid incidents that put your organisation's reputation and goodwill at stake. Cyber security insurance Security testing is becoming a pre-requisite in obtaining cyber security insurance. Network Infrastructure penetration test (Internal/External) Identifying vulnerabilities such as full administration access gained through the exploitation of running network services. Application penetration test (Internal/External) Testing for example, that administration access cannot be achieved through by-passing authentication procedures. Internet exposure penetration test (Information Disclosure) Testing for sensitive company information that may be available on the internet. Social engineering assessment Testing employees' susceptibility to the disclosure of sensitive company information Physical security assessment Testing the robustness of the access mechanisms that protect company assets.

4 Wireless Penetration Test Attempt to gain access to your wired network through rogue access points in the wireless network. VOIP Penetration Test This will identify any routes from your VIOP network into the main IT network (this can allow external access into your IT infrastructure) On-host and infrastructure security test mapped to security policies This test is designed to reveal missing patches, blank passwords and other vulnerable areas of security settings. It also examines the implementation of the company security policy at the technical level. VPN (virtual private network) assessment Testing for flaws in authentication mechanisms and the configuration state to ensure that network boundaries are not compromised by the external VPN Code review This review tests for 'back doors' into your system. For example, we check for buffer overflows and developer hooks that could lead to systems being compromised. Firewall assessment technical and physical audit review Testing your firewall effectiveness and ensure that it meets the standards set by security policies. This can prevent dangerous services traversing the firewall from the internet. Mobile device assessment (including Bring Your Own Mobile) Testing mobile devices for assurance of data security, ensuring that sensitive data is properly encrypted. This protects you against data compromise in the event of loss or theft of the device. Denial of service assessment This assesses the resilience of your network to attack from external sources, for example a DDOS attack. This type of attack can render your services unable to operate effectively. Training All Inner Security consultants are all qualified to industry standards and are responsible for updating their professional development within their specialist areas. They follow the Inner Security Methodology (accredited by CREST) and adhere to the requirements laid down by the company. In addition, Team Meetings and debriefs are designed to disseminate and update colleagues about new initiatives and developments. Where specified within the Inner Security Scoping Document, consultants will undertake to ensure that training requirements are met. The efficacy of the training provided can be evaluated via the Inner Security Client Feedback Questionnaire. Ordering and Invoicing Following a successful tender, scope and quotation, Inner Security will commence work in line with the agreed Scope of Work on receipt of a Purchase Order. Invoices will be issued and payment is required within 30 working days. Further Clarification of these terms can be found in the document: Inner Security Terms of Business IS-GC3-07

5 Termination of Contracts Please refer to the document: Inner Security Terms of Business IS-GC3-07 Client Responsibilities Please refer to the document: Inner Security Terms of Business IS-GC3-07 Service Levels Service levels and availability are highlighted on our rate card. In the unlikely event that Inner Security do not meet the required standard of service this is covered in our Terms of Business. The following services are not provided by Inner Security in respect of G-Cloud Services: Data restoration / service migration. Trial Services. Back-up and Restore.

6 ----End of Document----