SECURITY. Risk & Compliance Services

Transcription

1 SECURITY Risk & Compliance s V1 8/2010

2 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize risk, improve operational efficiency, and satisfy regulatory mandates. We will provide your organization with metrics needed to make critical business decisions on where to spend valuable time and money protecting your assets while maintaining industry-best practices and regulatory compliance. Features & Benefits Features & Benefits Approach Approach Key Deliverables Key Deliverables Requirements Requirements TRACE3 Trace3 Security s provide provide the following the following features features and benefits: and benefits: Provides your management team team with with a rapid a rapid top top down- down- big picture big picture of current of current security security posture. posture. Proactively identify possible or potential security risks, or vulnerabilities, that may allow access to Proactively confidential identify areas of possible a network, or allow potential a denial security of service risks, to be or vulnerabilities, performed, or obtain that information may allow access from your to confidential network. areas of a network, allow a denial of service to be performed, or obtain information This exercise from will produce your network a deliverable cataloguing potential vulnerabilities in the environment This and exercise outline a will remediation produce strategy a deliverable to resolve cataloguing the identified potential issues. vulnerabilities in the environment Benchmarks current and outline environment a remediation against industry strategy best to resolve practices. the identified issues. Benchmarks current environment against industry best practices Reveals and quantifies network infrastructure weaknesses and provides both tactical and Reveals strategic and opportunities quantifies network to remedy infrastructure these weaknesses. weaknesses and provides both tactical and strategic opportunities to remedy these weaknesses. Identifies risks to the confidentiality, integrity and availability of information and information Identify systems. and understand risks to the confidentiality, integrity and availability of information and information systems. Provide recommendations for gaps in policy by strengthening of current policy or addition of Provide new policies. recommendations for gaps in policy by strengthening of current policy or addition of new policies. Trace3 will gather and organize the data necessary to make informed conclusions and TRACE3 will gather and organize the data necessary to make informed conclusions and recommendations through on-site interviews, walkthroughs, asset inventories, device configuration recommendations review, document review, through and on-site hands-on interviews, equipment walkthroughs, evaluation. All asset areas inventories, of the network device configuration infrastructure review, can be reviewed document including review, WAN/LAN and hands-on protocols equipment and topology, evaluation. operating All systems, areas of routing the network and switching, infrastructure remote/internet can be reviewed connectivity, by including cabling, and WAN/LAN network/systems protocols management and topology, tools. Within operating these areas, systems, Trace3 routing will focus and on switching, security posture remote/internet as it relates to connectivity, People, Process cabling, and and Technology network/systems in accordance management with best practices. tools. Within these areas, TRACE3 will focus on security posture as it relates to People, process and Technology in accordance with best practices. Security s delivers the following: Security Formal discovery s report including delivers executive the following: summary and detailed facts and finding from the Formal discovery Discovery phase of Report assessment. including executive summary and detailed facts and finding from Specific the recommendations, discovery phase of including assessment. justification and benefits. Specific recommendations, including justification and benefits Detailed vulnerability reports with one step remediation plans. Detailed Vulnerability reports with one step remediation plans. A A comprehensive security standards and and compliance compliance matrix matrix will be will provided be provided in accordance in with best practices. accordance with best practices. Collaborative Feedback feedback report Report to your to your IT organization IT organization through through an interactive an interactive presentation or workshop. presentation or workshop. To To conduct a a Network Technology Infrastructure service, service, Trace3 TRACE3 requires requires the following: the following: Network drawings depicting your environment. If such an as-built is not available, Trace3 offers a Network drawings Discovery depicting and Documentation your environment. service. If such an as-built is not available, TRACE3 Detailed offers information a Network on the Discovery current network and Documentation layout including service. subnet allocation, network device Detailed locations, information and IP addresses. on the current network layout including subnet allocation, network List of personnel device locations, and scheduled and IP interview addresses. times prior to project kickoff meeting. List of personnel and scheduled interview times prior to project kickoff meeting. Access to your network equipment. Access to your network equipment. A static A static and and functional network environment during during the the course course of our of discovery/data our discovery/data collection phase. collection phase. Trace3 Co-Management Risk & Compliance Solutions s Guide

3 Risk & compliances services Risk & Compliance s Please select all all that apply to to the project Compliance/ Compliance/ Risk Risk \ Sarbanes-Oxley GLBA HIPAA PCI PCI Readiness ISO 17799/27001 OWASP COBIT NSA IAM/IEM PIPEDA NERC NIST/ Best Practice Custom Vulnerability Disaster Planning Remote Remote App Config. Review App Config. Review Device Config Review Device Config Review Network Config. Review Network Config. Review Server Config. Review Server Config. Review Disaster Social Engineering Social Engineering Off Hours Off Hours Web Application Web Application DR Planning DR Planning DR Creation DR Creation DR Exercise DR Exercise Data Criticality Analysis Data Criticality Analysis Physical Physical Wireless Wireless DR Gap Analysis DR Gap Analysis DR DR Business Impact Analysis Business Impact Analysis Custom Custom Forensics Forensics Incident Response Incident Response Policy Policy Policy Creation Policy Creation Physical Security Physical Security Wireless Security Wireless Security Security Training Security Training Server Hardening Server Hardening Security Architecture Security Architecture Target State Target State Virtual CSO Virtual CSO Trace3 Co-Management Risk & Compliance Solutions s Guide

4 External Vulnerability An external vulnerability assessment will assess your environment from an external or public view to identify vulnerabilities that may allow access to confidential areas of a network, allow a denial of service to be performed, or obtain sensitive internal information. Internal Vulnerability An internal vulnerability assessment will assess your environment from the internal view of the network to identify vulnerabilities that may allow access to confidential areas of a network, allow a denial of service to be performed, or allow access to sensitive internal information. Password complexities are also verified, virus protection and patch management are assessed, and a sample number of servers and workstations are reviewed to provide recommendations on how to enhance the organization s security posture. Host & Network testing, also known as ethical hacking, is conducted to confirm the true risk of vulnerabilities identified. Through exploitation of vulnerabilities, engineers will try to gain root or administrator-level access to the target systems and/or other trusted user account access. During this process, advanced tools and custom utilities will be used to maintain availability of the servers while gaining access to potential vulnerable services. After manual verification of the information tested, we provide a mitigation plan to secure the network and prevent the information from being accessed. Application With the evolution of technology making perimeter access devices more secure and the rise in the sophistication of e-business focused attacks, the security focus has shifted to the next battlefront applications. Custom coded applications offer up addition attack vectors for hackers. Application penetration testing is directly related to testing those applications that have been custom developed or built on top of other commercial applications. Application security testing does not involve looking at hosting software such as the web servers, but rather focuses on the application software itself. Social Engineering Social engineering evaluates the ultimate weakest link in your security program by testing the security awareness and education of an organization s user population. Using specialized attacks such as phishing, random phone calls, information gathering, and tailgating, consultants are quickly able to determine where vulnerabilities exist in an organization by exploiting weaknesses in human vulnerabilities. Red Team Red Team testing is a state of the art system of exposing information security risks. This methodology quickly and directly identifies key corporate assets and their real world weakness and strengths on all levels of security posture (physical, logical, electronic, social, environmental and business process/structure). The result of this assessment enables clients to find out their true level of defense against generic and sophisticated attacks. Trace3 Co-Management Risk & Compliance Solutions s Guide

5 Risk Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity and availability of information and information systems. In its simplest form, a risk assessment consists of the identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. The resulting information should be used to develop strategies to mitigate those risks. This assessment will include policy review, architecture review and security practice review. By taking this approach, a security control baseline will be compiled for our customer s environment. This will give the customer an understanding of the current state of security as well as an accurate roadmap to meet Sarbanes-Oxley IT security compliance. In addition to technical reviews and policy inspection, a comprehensive requirements matrix will be compiled. This matrix will show mapping to specific security requirements, as interpreted by the provider, of Sarbanes-Oxley sections 302, 404 and 802. Sarbanes- Oxley (SOX) Gramm- Leach-Bliley (GLBA) The GLBA assessment process is designed to identify, measure, manage, and control the risks to system and data availability, integrity and confidentiality, as well as to ensure accountability for system actions within financial institutions. This particular assessment will follow the guidelines as provided by GLBA and FFIEC to assess the current level of compliance to GLBA and relative security of the environment. Health Insurance Portability & Accountability Act (HIPAA) Section (a)(1) of HIPAA requires an organization to conduct the risk analysis of the organization. This analysis is required to understand the flow of e- PHI (Electronic Protected Health Information) in the organization and the result of this analysis will facilitate creation of security policies & procedures and support the recommendation to initiate the HIPAA Security Compliance related remediation activities. This assessment will enable organizations to gain a full understanding of their compliance with HIPAA, provide a gap analysis against current security controls, and provide a remediation plan to achieve full compliance. ISO 27001/7700 ISO/IEC and its related code of practice, ISO/IEC 17799, provide internationally accepted, standardized criteria to implement an effective information security management system. The basis for the standard is that information is an organization s most valuable asset. As a valued asset, information must be managed and protected from internal and external threats. In order to protect its information assets, the organization must develop sustainable security measures and integrate those measures into its business processes. ISO/IEC and ISO/IEC assessments provide strategic and tactical direction for assessing, measuring and preventing threats, as well as proposed range of security controls focused on safeguarding information assets. Trace3 Co-Management Risk & Compliance Solutions s Guide

6 Policy and Procedure A review of documented security policies for proper coverage of information security as related to ISO Through this review we will recommend additional policies/procedures and/or modifications to existing policies that have been or need to be created. Policy & Procedure Writing Assist in writing policies and procedures applicable to the business and operational needs of a network. The goal for this activity is to develop a tailored and flexible plan that is easy to use when recovery activities are activated. Specific objectives to achieve this goal include: Disaster Planning Disaster Define the components of the plan. Select team leaders, members and alternates based upon functional areas who may be involved in the plan development and initial walkthrough of the plan. Develop procedures that address and document the steps for responding to a crisis event, recovering operational capability and resuming critical business functions, and eventually restoring all functions to business as usual. Ensure important decisions are made and documented in the plan. Document relationships that will be relied upon if the company experiences a disaster, including contact names and type of assistance they may provide. Review completed plans with senior management to confirm approach and assumptions. Reassess work program and schedule and make necessary adjustments. Test facilitation and training services provide organizations with an independent, objective exercise and assist with bringing stakeholders up to speed on what they need to know. gives management confidence in the validity of their plans, and training provides for usability of plans in the hands of stakeholders who will execute them. Business Impact Analysis (BIA) The BIA process is normally conducted to help an organization identify the key systems and data relevant to sustaining business. This process is the first step in putting together an effective business continuity plan. It requires client participants to identify economic, legal, service, and other operational implications that affect their ability to deliver a service or other work product in the event of a service disruption. The BIA process helps define the results of a loss on individual locations, business units or processes in financial and operational terms. The results provide information about a business area s current ability to deal with a disruption, and the potential impacts that may be experienced if one should occur. Rogue Wireless Detection: Detect rogue wireless AP s including Direction Finding of said connection devices. Wireless Test Attempts at gaining access to wireless networks through compromising vulnerabilities in the wireless infrastructure to gain unauthorized access to networks and systems. Trace3 Co-Management Risk & Compliance Solutions s Guide

7 Wireless Architecture of the diagrams of wireless networks and protocols surrounding them for security efficacy and potential vulnerabilities. Wireless Policies & Procedures of policies and procedures pertaining to wireless networking. Conducting a gap analysis of those policies and procedures for best practices. Physical Security This assessment process begins with a characterization of the facility including identification of the undesired events and the respective critical assets. Guidance for defining a design basis threat is included, as well as the definition of the threat to estimate the likelihood of an adversary attack at a specific facility. Relative values of consequence are estimated. Methods are also included for estimating the effectiveness of the security system against the adversary attack. Finally, risk is calculated. In the event that the value of risk is deemed to be unacceptable (too high), the methodology addresses a process for identifying and evaluating security system upgrades in order to reduce risk. Forensic Analysis Complete systems analysis of live systems for forensic evidence. Hard Drives Analysis Forensics analysis of hard drives for evidence of crimes, intrusions or incidents. Such evidence can be taken to authorities and courts. Rootkit Detection Detection of rootkits, backdoors, Trojans, etc. for forensic purposes. Active Threat Defense Defending a network against an active attack (ie. DDoS, corporate espionage, counter attack, etc.) External Threat Mitigation Identify, monitor and track external threats. (Hacking, theft, harrassment, etc.) Internal Threat Mitigation Problematic internal employee or resource tracking, monitoring, and mitigation. (AUP violations, termination policy enforcement, internal hacking, etc.) Trace3 Co-Management Risk & Compliance Solutions s Guide