Cyber Security Governance

Effective Cyber Security controls helps to minimize the risk of sensitive business information, being lost, leaked, damaged, stolen and to ensure the continued availability of activities, information, systems, etc. A Cyber Security Governance review/ assessment provides assurance that adequate security controls are implemented in the organization.

Methodology

  • Get an understanding of IT and Security environment. Review of documentation including any relevant policies, standards, guidelines, and procedures
  • Perform current state and gap assessments against industry leading practices such as ISO 27000, NIST, SAMA Cyber Security Framework or CoBIT 5 Identity the applicable security controls (risk based or compliance based) and
  • Test the design and operating effectiveness of these controls
  • Report on the findings

Tools

  • Risk and Control Knowledgebase

Deliverable

  • Cyber Security Governance Review Report (Executive Summary, Detailed Findings, Risks , Recommendation and Management Response).

Information Security (IS) High Level Scope –  ISO 27000 Domains

  • IS Policy Management;
  • Organization of IS;
  • Third Party / Vendor Information Security Management;
  • Information Asset Management;
  • Human Resources Security;
  • Physical and Environmental Security
  • Security around Operational procedures;
  • Access Management;
  • Information Security in System Acquisition, Development & Maintenance Procedure;
  • Secure Disposal or Re-use Procedure;
  • Information Security Incident Management Procedure;
  • Information Security Continuity Management Procedure; and
  • Compliance of systems and processes.

Cyber Security Services – Vulnerability Assessment & Penetration Test

Perform the Vulnerability Assessment & Penetration Testing, primarily focused on corporate networks and Systems. Our testing approach will primarily focus on identifying potential vulnerabilities exposed to a cyber adversary by designing different attack vectors/paths on each of the network segments.

Methodology

We will go through different phases as a mean to gather and collect information with the given privileges, assess and identify vulnerabilities and exploit as and when requested. Our Vulnerability Management service offering consists of the people, processes, and technologies organized to identify, manage, remediate, track, and report on vulnerabilities within corporate environment. A time tested methodology for conducting penetration testing assessments will be utilized.

Tools

Various Diagnostic tools and technique such as Nesus, Kali, etc.

Deliverable

Vulnerability Assessment and Penetration Testing Report in MS Word format. This includes an Executive Summary (summary of all issues, findings, and recommendations snapshot of evidence and management confirmations)

External networks:

  • Identify vulnerabilities visible from the Internet.
  • Develop profile of network and use semi-automated tools to identify potential vulnerabilities and then manually verify these.
  • Attempt to penetrate selected systems using agreed-upon controlled manual testing approach to exploit vulnerabilities identified and analyze resulting business risk.

 

Internal networks:

  • Obtain deep and privileged access to our client’s internal network.
  • Provide a realistic view of the impact associated with linking vulnerabilities into a targeted attack path.
  • Test internal network, via our secure VPN solution, which can be used to establish a remote connection.

Cyber Security Services – Web Application Security Test

Conduct a controlled testing of in-scope web applications from an unauthenticated user’s perspective will be conducted with the primary objective of identifying potential vulnerabilities present in the applications and associated infrastructure.

Methodology

  • Identify and confirm the web application in scope for testing
  • A controlled testing of web applications from an unauthenticated user’s perspective will be conducted with the primary objective of identifying potential vulnerabilities present in the applications and associated infrastructure.
  • Exploit application weaknesses to gain access to underlying operating platform and / or sensitive information

Tools

  • Various industry standards.

Deliverable

Web Application Testing Report in MS Word format. This includes an Executive Summary  (summary of all issues, findings, and recommendations snapshot of evidence and management confirmations)

OWASP Top 10 Web Application Security Risks

  • A1: Injection
  • A2: Cross site scripting (XSS)
  • A3: Broken Authentication and session Management
  • A4: Insecure direct object references
  • A5: Cross site request forgery (CSRF)
  • A6: Security Misconfiguration
  • A7: Failure to restrict URL Access
  • A8: Insecure Cryptographic Storage
  • A9: Insufficient transport layer protection
  • A10: Unvalidated redirects and forwards

Cyber Security Services – Mobile Application Security Test

Mobile client software acts as the front-end for the user. Testing on the client device usually requires a device that is rooted or jail broken emulator. The Mobile application server is typically a web server that hosts the mobile application and communicates with the client software.

Methodology

  • Identify and confirm the mobile application in scope for testing
  • A controlled testing of mobile applications from an unauthenticated user’s perspective will be conducted. This application server needs to be protected in the same way that a typical application server should be protected. The communication channel between the client software and application server needs to be protected as well.
  • Exploit application weaknesses to gain access to underlying operating platform and / or sensitive information

Tools

  • Various industry standards.

Deliverable

Mobile Application Testing Report in MS Word format. This includes an Executive Summary (summary of all issues, findings, and recommendations snapshot of evidence and management confirmations)

OWASP Top 10 Mobile Applications Vulnerabilities

  • Weak Server Side Controls
  • Insecure Data Storage
  • Insufficient Transport Layer Protection
  • Unintended Data Leakage
  • Poor Authorization & Authentication
  • Broken Cryptography
  • Client side Injection
  • Security Decisions Via Untrusted Inputs
  • Improper Session Handling
  • Lack of Binary Protections

Cyber Security Services – Infrastructure Security Configuration Testing

The objective to conduct a security assessment of key infrastructure components and test the security to assess the security posture of these systems and to determine if they could be better secured or hardened.  We will focus on the systems identified as critical, in addition to the external and internal review steps.  This will provide management with a holistic opinion of the target’s security.

Methodology

Our approach can be tailored to your specific needs to analyze operating systems, network routers and switches, endpoint devices, and application-level security issues that may exist within your current environment. A thorough review of the administrative, physical and technical controls governing each networked resource is performed and all findings validated and recorded. It is driven by a combination of automated and manual assessment techniques to identify configuration weaknesses that may not be detected through traditional assessment activities.

Tools

  • Various Diagnostic tools and techniques (Nesus, Kali, etc.)

Deliverable

Security Configuration Testing Report in MS Word format. This includes an Executive Summary  (summary of all issues, findings, and recommendations snapshot of evidence and management confirmations)

Focus Areas

  • Operating System Checks (patch, exceptions, passwords, ports, etc.)
  • Configuration test (group policy, authentication, environment variables, network protocols, audit logs, default configurations, unnecessary services, etc.)
  • Recovery Tests (assets and access points, procedures, etc.)
  • Administration checks (physical location, remote access, encryption, account lock out, session time out, etc.).

Cyber Security Services – Network Security Architecture Review

We will examine the existing network topology and deployment of the security controls within the organization like firewalls, IDS/IPS, network segmentation and make recommendations to increase the effectiveness of the security controls

Methodology

Our systematic approach to the evaluation of the current state ensures a detailed review of the current architecture, technology & security policy of the organization, management practices and planned changes.

  • Review the network diagrams and collected documentation
  • Identify Zones and Infrastructure Layers
  • Conduct analysis of current IT network, information flow according to business requirements and points of access to information.
  • Perform analysis of current security controls and procedures for various security management areas
  • Identify gaps between current design and the respective zones

Tools

  • Various Diagnostic tools and techniques

Deliverable

Security Configuration Testing Report in MS Word format. This includes an Executive Summary  (summary of all issues, findings, and recommendations snapshot of evidence and management confirmations)

Network Security Layers

  • Security Groups
    • Inbound traffic must be explicitly specified by protocol, port and security group.
    • VPC adds outbound filters.
  • VPC also adds Network Access Control List (ACLs): inbound and outbound stateless filters
  • OS Firewall (e.g., iptables) may be implemented
    • user controlled security layer
    • granular access control of discrete hosts
    • logging network events

Cyber Security Risk Assessment/ Management

To ensure cyber security risks are properly managed to protect the confidentiality, integrity and availability of the Client’s information assets, and to ensure the cyber security risk management process is aligned with the Client’s enterprise risk management process, a cyber security risk management process should be defined, approved and implemented.

Cyber Security Risk Assessment:

Methodology

Conduct a Cyber Security Risk Assessment. The will include the following activities:

  • Identify Risks
  • Determine Likelihood
  • Determine Impact
  • Determine Risk Scoring
  • Identify Risk Treatment Options
  • Evaluate Residual Risk; and
  • Cyber Risk Appetite.

Tools

  • Risk and Control Knowledgebase

Deliverable

  • Cyber Security Risk Assessment Report

Cyber Security Risk Management Framework:

Methodology

  • Develop a Cyber Security Risk Management Approach that specifies the set of activities to be performed to establish an effective and efficient Risk Management process for Cyber Security.
  • The approach will be developed in alignment with ISO 27001:2013 ISMS, ISO 31000, and Client’s existing Risk Management Framework (if applicable).
  • The approach document will address the following processes in relation to Cyber Security:
    • Risk Identification
    • Risk Analysis
    • Risk Response
    • Risk Monitoring and review
    • Develop a training program to meet the identified requirements.
  • Tools
    • Risk and Control Knowledgebase

    Deliverable

    • Cyber Security Governance Document
    • Cyber Security Risk Register

Third Party Assessment – Including Cloud Service Provider

There is a need to apply an appropriate framework for ensuring third parties are effectively managing their Service Level and Information Security risks. The IT Third Party / Vendor Management Assessment will provide assurance that services provided by the vendors are meeting the agreement and security controls are adequately implemented by these vendors.

Methodology

We have a robust and mature framework that has been used to help organizations to design and manage their third party risk management programs including managing Service Level Agreement (SLA) with internal / external stakeholders and Information Security risks at third parties.

Tools

  • Risk and Control Knowledgebase (RACK).

Deliverable

IT Third Party / Vendor Review Report (Executive Summary, Detailed Findings, Risks, Recommendation and Management Response).

High Level Scope  

Vendor Management – Security and Due Diligence

  • Assess the guidelines in the procurement/ tender process and inclusion of respective clauses (such as right to audit, NDA, etc.) in contracts (both at inception and / or renewal) and SLAs.
  • Review the Vendor Management Process and assess if the Cyber security requirement in line with leading practices. This includes baseline security controls
  • Assess the access management process of the vendor

Vendor Management – Security and Due Diligence

  • Review the services and get an understanding on the expectations of the client and client regarding their roles and Identify deviations and / or gaps between current processes performed and required/agreed levels of processes.
  • Identify and assess all risks associated with the SLA / Contract.
  • Review the ongoing monitoring of relationships between client and vendor.
  • Review the reporting process of the performance of the client to the executive management.

Identity & Access Management

There is a need to ensure that IT provides only authorized and sufficient access privileges to approved users. Companies should restrict access to its information assets in line with their business requirements based on the need-to-have or need-to-know principles.

Methodology

  • Get an understanding of Access Management Life Cycle
  • Test Authentication policy
  • Assess Governance
  • Review Administrative & Generic User Management

Tools

  • Risk and Control Knowledgebase

Deliverable

Identity & Access Management Review Report (Executive Summary, Detailed Findings, Risks, Recommendation and Management Response).

Cyber Security Awareness

To create a cyber security risk-aware culture where staff, third parties and customers make effective risk-based decisions which protect the company’s information, a robust A cyber security awareness program should be defined and conducted for staff, third parties and customers.

Methodology

  • Leverage the formal policies and procedures as the initial guidance for developing the Security Management Training & Awareness Program.
  • Incorporate a latest / up to date risks and controls mechanism in the awareness slides. This includes interesting and educational videos, techniques of security compromise and famous case studies.

Tools

  • Cyber Security Awareness Library and Knowledge Base– aligned with leading standards such as ITIL, ISO 20000, ISO 27000 and CoBIt5.

Deliverable

  • Cyber Security Awareness Program
  • Cyber Security Awareness Sessions (On-site, Remote, Live or Video Application)
  • CPE Certificates

General Security for All Staff

  • Information security governance
  • Baic rules of security
  • Physical and logical security
  • Password security
  • Information classification
  • Malicious security
  • Ransomware – What is it and how to ensure security
  • Personal Computer security
  • Internet access and email
  • Social engineering
  • Physical engineering
  • IT Asset Management and Information security incidents

Specific for IT Team

  • System access management security
  • Application security
  • Network / Infrastructure security
  • Database security
  • Change management security
  • Data center security
  • Bring your own device
  • Secure disposal of asset and security of IT Assets
  • Information security incidents
  • Information security basic vulnerability management
  • IT vendor security
  • Outsourcing security

Cyber / Information Security Strategy, Policies & Procedures

Cyber / Information Security (IS) policies are used to provide management direction and support for Information Security in accordance with business requirements and relevant laws and regulations. Without effective policies there is a risk that personal, customer, financial and other sensitive information could be compromised, having a significant impact to the organization.

Methodology

  • Develop a Cyber Security (CS) Strategy. aligned with strategic objectives. The following components will establish:
    • The importance and benefits of cyber security
    • The anticipated future state of CS for the organization to become and remain resilient to (emerging) CS threats
    • Which and when cyber security initiatives and projects should be executed to achieve the anticipated future state
    • Alignment with overall business objectives and regulation(s).
  • Conduct meetings with relevant staff to get an understanding of IT and IS environment. Review of documentation including any relevant policies, standards, guidelines, and procedures
  • Customize the best practices IS policies and procedures towards organization processes and finalize the draft for process owner.

Tools

IS policies and procedures library – aligned with ISO 27000 and/or SAMA Cyber Security Framework.

Deliverable

  • Cyber Security Strategy
  • Information Security Policies & Procedures
  • Minimum Baseline Security

IS Policies and Procedures (sample list)

  1. System Acquisition, Development & Maintenance
  2. Security Risk Management
  3. Access Management
  4. Third Party / Supplier Management
  5. Acceptable Use
  6. Information Security Continuity
  7. Information Classification and Handling
  8. Physical and Environmental Security
  9. HR Security
  10. Network Communication Security
  11. Information Media Handling
  12. Security Incident Management
  13. Change Management
  14. Vulnerability Management
  15. Mobile Computing Security
  16. IT Asset Management Security
  17. Antivirus Security
  18. Security Compliance
  19. Information Security Incident Management
  20. Audit & Event Logging Management

Information Technology Governance - Policies & Procedures

IT policies and procedures help the company in establishing the guidelines on how Information Technology are to be handled by its employees

Methodology

  • Conduct meetings with relevant staff to get an understanding of IT and IS environment. Review of documentation including any relevant policies, standards, guidelines, and procedures
  • Customize the best practices IT policies and procedures towards organization processes and finalize the draft for process owner review and confirmation

Tools

  • IS policies and procedures library – aligned with leading standards such as ITIL, ISO 20000, ISO 27000 and CoBIt5.

Deliverable

  • IT Policies
  • IT Procedures
  • IT training on the IT policies & procedures
  • Develop manual forms (where applicable)

IT Policies and Procedures ( Sample List)

  1. Data Center and Network Operations
  2. System Change Management
  3. IT Disaster Recovery
  4. System Access
  5. IT Incident Management
  6. IT Problem Management
  7. IT Vendor Management
  8. IT Acceptable Use
  9. Data Storage
  10. Logging and Monitoring
  11. Back up Management
  12. Capacity Management
  13. Batch Processing and Error Log Management
  14. IT Help Desk
  15. IT Service Level Management

We deliver well thought, innovative and effective solutions

We deliver results by combining a people centric approach with analytics and leading practices to enact solutions based on deep understanding of organizations, its processes and culture.