Why is Security Assessment important ?

The companies deal with lot of proprietary and customer sensitive data, it is
important from the data security and compliance point of view that the data
must be handled with utmost care. The assessment service is mainly aimed at
the reviewing the basic security controls and other arrangements already in
place to prevent data theft and/or attack from an external intruder into the data
and service critical systems. We understand that building security controls or
enhancing the existing security infrastructure can be a tricky process and will
require you to justify the investment on the security and the return on
investment on security. Thus, keeping in mind the need of the hour we have
divided our basic security assessment module into 3 stages. This not only will
give you a comfort level to work with us but also gives you confidence in our
methodology (inspired by industry wide accepted best practices) for carrying out
the security assessment in your
organization.
The assessment service has been designed especially covering all the major
domains of security at the centres dealing in outsourced activities involving data
and voice. However, there is more than that to what PANSYS has to offer to
increase the security of the operations and the environment in which the
business is operating. These can be discussed as per the requirement basis. At
the end of this assessment activity, relevant control measures and security
solutions are suggested to enhance the security of the existing infrastructure.

Complete support is provided for implementation of security controls,

documentation (if required), evaluating the right security product as per the
organizations security requirements and vendor management (if required) for
procuring security products.

Scope of the secur Assessment Assignment

The scope of the assignment has been divided into three stages for carrying out
the
security assessment for the organizations Information Assets.

Stage 1-Infrastructure Review

The activities carried out during this phase will determine Information Security
requirements and the threats associated with Information assets of the
organization.

Scope of services covered

1. Understanding the Threat Perception of the stakeholders of the Information
Owners
and the Management.

2. Infrastructure Review:

This will include a detailed infrastructure review covering following 8 domains:

I. Network Architecture Devices

Review of network architecture to assess its robustness in
protecting the information/ information assets from attacks within
and outside.
Review configuration of the systems and servers critical to
network environment:
Network Infrastructure devices:
o Layer 2 and Layer 3 Switches,
o Routers, if any
Servers
Firewalls and Intrusion Detection Systems

II. Single Point of Failures(SPOF)

Identify SPOFs
Review counter measures against single points of failures.

III. Physical and Environmental controls

Review physical and environmental controls at Server room.

IV. Logical Access controls

Review controls for IT admin users and General (non-IT) users

V. Internet
Review security for access and usage of the Internet

VI. Backup
Review backup procedures,

VII. Virus protection

Review controls for virus protection

VIII. Enduser computing

Review of desktop
Review of desktops: Basic hygiene (including password
setting, OS version/patches, HD sharing , virus protection
etc)
Controls for local storage of data
Protection measures against use of unauthorized software

Stage 2-Secure network design Review

This stage will involve review the existing network design of your organization
from the
optimal security point of view. Based on the infrastructure review carried out in
the
previous stage and requirements understood for a secure network design in this
phase, the
security products/solutions and/or any necessary physical re-arrangements in the
design
of the network will also be recommended.

Scope of services covered

* Review of existing Network design and arrangement.

Stage 3-Vulnerability Assessment(VA)

VA will be carried out to determine whether potential vulnerabilities or security

exposures exist on the systems, servers and applications of the organization.
This
particular service can be hired on the regular (quaterly, half-yearly or yearly)
basis to
scan and fix new vulnerabilities on the regular basis to maintain optimal level
of
security in the systems and applications.

Scope of services covered

1. Perform TCP/IP Vulnerability Scanning with state-of-the-art TOOLS with

plugins
enabled to discover the latest known & potential Vulnerabilities as on the day
of

scan.
2. Perform Vulnerability Scanning for any internet and intranet application
using
state-of-the-art scripts and TOOLS with plugins enabled to discover the latest
known & potential Vulnerabilities as on the day of scan.

Deliverables
1. Infrastructure security assessment report detailing the status of reviewed
parameters of 8 domains.
2. Secure Network Design document.
3. Evaluation report of best security solutions accompanied with
recommendations for deploying appropriate solutions.
4. Highlighting Vulnerability in the Assessment report.
5. Recommendations to fix Vulnerabilities & put controls in place.
Time Frame
Varies from 6 working days to 25 working days depending upon the scale of
setup.

ISO:27001 Compliance

We review the implementation of security controls according to the existing

security
policy (assuming the existing security policy is ISO27001 compliant). In case
the policy
is not present we prepare it for the organization and we can see to it that the
controls are
implemented according to the policy. On the technical front implementation
manuals for
the existing IT Systems and sub systems can be provided for the company.
These

implementation manuals contain value for parameters required for

hardening/securing
servers, systems related to network security i.e firewalls, ids etc., Network
infrastructure
including wi-fi networks, databases and other applications that have impact on
IT
Security for the enterprise.

In other words, the complete deployment of an ISMS (of which the above
mention points
are an integral part) against IEC/ISO:27001 audit scenarios can be managed
by our firm.
For external audit for the purpose of certificate our consultants have the
competence and
experience to carry out compliance audits at large scales. To understand the
depth and
breadth of Security Controls and Security Policy that are developed and
reviewed during
the compliance preparation, kindly get in touch with us.
Time Frame
For a setup of a network with 125 workstations and 8 servers it takes around
intensive 3
months to get an organization ready for the ISO:27001 audit.

Other Services

Depending on the need of the business we also provide the following services:
Risk Assessment and Recommendations
Penetration Testing
Compliance Review and Audits for ISO: 27001, SOX, HIPAA, GBLA etc.
Policy Development
e-Security Awareness and Training

 Risk Management
Computer Forensics
IT Disaster/Contingency Plan Development and Evaluation
Threat and Vulnerability Assessment
Procedures Development Review
Configuration Management/Change
Control Process Development and Assessment
Wireless Security
VoIP Security
Asset (Software and Hardware) Management
Security Product Evaluation and Vendor management

We also offer E-Risk solutions as :

For more details send your requirements to information
..