Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

Transcription

1 Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients Network Test Labs Inc. Head Office Richards Street, Vancouver BC, V6B 2Z4 Website: Promo Code: NTLSA2014 Prepared for New Clients Only Tuesday, 11 March 2014 NTL Network Test Labs Incorporated. Initially published and distributed on Tuesday, 11 March 2014.

2 Table of Contents 1. Introduction Purpose and Scope Service Descriptions and Options Methodology NTL s Responsibilities Customers Responsibilities How Network Test Labs Inc. Can Help

3 1. Introduction Network Test Labs Inc. (NTL) Security Assessment service is designed for customers who are seeking to assess their IT security posture, minimize their vulnerability and reduce their security-related risks. This service evaluates the customers' existing network infrastructures and environments from a security perspective to identify security issues that may impact or threaten the customers' networks, missions and users. NTL's Security Assessment service also provides customers with valuable recommendations to close security gaps and help ensure the availability, confidentiality and integrity of the IT network and data. NTL s Security Assessment service is available for customer with either public or private networks or a combination thereof: Private (wired, x wireless) Public (wired and cellular) 1.1 Purpose and Scope The purpose of the assessment is to uncover any vulnerabilities or security weaknesses, as well as discuss these findings and mitigation advice with our customers. The threat analysis identifies the consequences/impact of the potential threats, and provides an evaluation of the likelihood of occurrence. The threat analysis will consider threats that exist within the current client network service infrastructure environment. Determine the current level of vulnerabilities and exploitable weaknesses, based on interviews, analysis and known vulnerabilities in the current client network service infrastructure. Based on the threats and vulnerabilities identified, construct a series of Threat Scenarios indicating which assets are most vulnerable and the potential consequences and perform a Risk Assessment to measure the various threat scenarios against the likelihood of occurrence and the potential consequences while indicating if existing safeguards are satisfactory or require improvement. This assessment will include the following steps: Assess all risks identified and document whether they pose a risk to the in-scope assets from a security perspective, Determine and document what impact the client may incur from an IT security perspective if a critical system asset were to be compromised, and Determine and document whether existing IT security safeguards are adequate to minimize threats and risks associated with the critical system assets. The final report will include all findings and vulnerabilities, along with suggested mitigations. 3

4 1.2 Service Descriptions and Options The Security Assessment services are available with the following options: Service Descriptions SANS Top 20 IP Addresses Scanned (Plus Discovery Full Scan IP Addresses Option A Up to 25 IP Up to 25 IP Intrusive & Non-Intrusive) Critical Hosts Scanned Edge Router Configuration Review Penetration Testing Web Application Security Assessment Wireless Security Assessment Secure Source Code Review Operating System Security Benchmark Database Security Benchmark Firewall Policy Review Security Policy Review Physical Security Review Up to 25 IP Up to 25 IP 1.3 Methodology NTL will use the following best practices delineated in: ISO:2002 standard security policy ITSG-33 IT Security OWASP and OSSTMM. 4

5 1.4 NTL s Responsibilities 1. Overall Scope. As part of each Security Assessment service, NTL s ISS team will: a. Review policies and procedures related to network security. b. Identify and map network topology and method of system interconnect. c. Collect network security scans. d. Analyze data collected. e. Provide suggestions for enhanced network security and efficiency. f. Provide recommendations and remediation strategies for closing security gaps. g. Prepare final report detailing findings and impacts to the business and mission. h. Deliver a live Executive Summary presentation of detailed findings and gap closure recommendations. 2. Project Management. NTL s ISS team will designate a point of contact (POC) and, as part of the pre-site stage, coordinate logistics and scheduling with the customer s POC for performing the service. 3. Statement of Work. Prior to beginning the engagement, NTL will prepare and deliver a Statement of Work (SOW), including a service project schedule, for the purchased Security Assessment service, which will provide detailed information about the services to be performed as part of the project. 4. Service Process. An NTL ISS engineer will complete the following process for each service option level and tier and the price to be paid by customer for such services: a. Conduct an offsite assessment overview with key customer and NTL stakeholders: Gather network definition data, network topology and applicable documents Discuss potential security impacts Review existing security policies and procedures Review any existing security audit reports b. Arrive on site to gather additional information Interview customer personnel Collect existing documentation Perform security vulnerability scans of the network Evaluate system firewalls c. Complete an off-site data assessment Perform a comprehensive security threat analysis Analyze security policies Prepare security assessment deliverables, i.e. an executive summary and detailed, formal written technical report. d. Conduct an on-site security assessment report presentation Review assessment findings in a workshop format Provide deliverables Plan follow-up Q&A session activities to take place within the following two (2) weeks 5. Final Report. NTL will provide a formal written report and a live executive summary presentation detailing the findings and recommendations. 5

6 1.5 Customers Responsibilities 1. Project Management. Customer must designate a POC who will coordinate logistics, schedules and technical information with the NTL POC. 2. Technical POC. Customer must designate a technical POC who is trained and knowledgeable of the project to work with the NTL ISS engineer and answer any technical or business process questions. 3. Confirmation of Scope. Customer will receive and must acknowledge in writing the Security Assessment service s SOW and Terms and Conditions (also referred to herein as the Security Assessment Agreement) provided by NTL in advance of ordering this service. 4. Access to Resources. Customer must provide appropriate access to the physical site, applicable documents and personnel to enable NTL to perform the service. Customer is responsible for all fees incurred, including labour costs and any customer-contracted third-party services, to provide such access. 5. Access to Network and Security Information. Customer must provide NTL with network topology diagrams and documented security policies and procedures for the current network and planned network architecture. Customer must also provide NTL with specific information pertaining to the IT hardware and software to which the system is connected or with which the system is otherwise interfacing. 6. Network Access. Customer must provide network access to enable NTL to connect testing and monitoring tools. 7. Assessment Project Support. Customer must complete any and all tasks assigned by NTL as part of the service engagement in a timely manner in keeping with the overall engagement schedule. 8. Safety. Customer must provide any site safety rules to NTL in advance of the engagement. 9. Administrative Resources. Customer must provide office space with customary amenities, including a desk, chair, telephone with voic , filing cabinet, access to copy and fax machine, access to mail and systems, access to meeting/conference room, parking at or near the facility where the office space is provided, and such other reasonable requirement identified by NTL. Customer is responsible for all costs associated with the use of these amenities. 10. Results Reporting. Customer must coordinate with NTL to schedule and arrange logistics for the final presentation of the final report. 11. Project Closure. Upon NTL s completion of all security assessment project milestones and deliverables, customer must complete and sign NTL s service acceptance certificate, signifying successful completion of all project activities. 6

7 2. How Network Test Labs Inc. Can Help NTL has extensive experience partnering with financial institutions, merchants and service providers nationwide by helping them with their security and compliance requirements. NTL s PCI Compliance Solutions meets data security standards required for merchants and service providers to achieve PCI compliance by addressing PCI DSS v2.0 Requirement 6.5, 6.6, 11.2 and 11.3 as follows: Performing quarterly internal and external vulnerability scans NTL, in partnership with Clone Systems are a certified Approved Scanning Vendor (ASV) by the PCI Security Standards Council, authorizing us to help you achieve compliance with the PCI Data Security Standard (DSS). NTL PCI Compliance Services perform independent and quarterly ASV vulnerability scans and produce the certified documentation for your records. In addition, NTL helps meet Report on Compliance (ROC) Audits through our trusted partner Qualified Security Assessors (QSAs). (Requirement 11.2) Using NTL to conduct penetration tests - Use NTL to perform penetration tests either in preparation for the official security assessment or for the audit itself. (Requirement 11.2, 11.3) Leveraging NTL s Managed PCI Services to provide the added value of automated quarterly scans including external vulnerability scanning - Includes up to twelve rescans per quarter at no extra charge, full remediation plans, eight hours of consulting time with one of our professional security consultants (2 hours per quarter) to review scan results and discuss remediation recommendations as well as any requested scan & report configuration changes. (Requirement 11.2) Performing NTL PCI Compliance Services - Offering annual internal and external penetration testing services required by PCI DSS in order to detect deficiencies more quickly and provide detailed recommendations for fixes that would prevent attacks. (Requirement 11.3) Performing NTL PCI Gap Analysis - For a detailed audit of your networked environment, web application development secure coding policies, physical security control policies, training polices and personnel policies, in addition to providing guidance on network segmentation to show you how to reduce the scope of your PCI audit and limit your cardholder segment. (Requirement 6.5) Performing Web application assessment testing - To identify vulnerabilities based on the OWASP Top 10 vulnerability list, in addition to providing Security Awareness Training, OWASP web development training and CEH/Penetration test training on request. (Requirement 6.6) PCI Awareness Training Program Our PCI DSS course walks learners through the requirements for PCI DSS compliance. Interactive training provides an enriched and enjoyable learning experience. An exam at the end of the course confirms your employees completion of the material. Reports can be easily generated for your own records or in the event of a PCI audit. Providing assistance in completing the appropriate PCI Self-Assessment Questionnaire (SAQ) - When required for PCI certification. 7

8 3. Payment Card Industry PCI Assurance Services PCI ASV Vulnerability Scanning Quarterly External Assessment PCI ASV Vulnerability Scanning Quarterly Internal Assessment PCI Awareness Online Training Program PCI Breach Protection Program PCI Database Security Assessment PCI DSS Gap Assessment Service PCI Remediation Service PCI Firewall Network Security Assessment PCI Penetration Testing Service PCI Policy Consulting Service PCI Secure Source Code Review PCI Systems Configuration and Controls Assurance PCI Web Application Assessment Service PCI Wireless Security Assessment Service 8