Digital Security
Compliance Standards Services
ISO 27001 ISMS Consulting Advisory: ISO 27001 Certification is a globally recognized and accepted Information Security Standard established by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC). ISO-27001 is part of a set of standards developed to handle information security: the ISO/IEC 27000 series. It is a robust framework that enables organizations to demonstrate their high-level security and risk management approach which are industry best practices. The focus of ISO 27001 is to protect the Confidentiality, Integrity, and Availability of business information or data, which may include customer data, employee details, financial information, intellectual property, or information entrusted by third parties.
Pratomate’ approach for ISO 27001 ISMS Consulting Advisory:
- Initial Study: to understand the business environment
- Scope Definition: to understand your business operations, controls, and systems to define the scope (People, Process, Operations, Technology, and Geographical Locations)
- Gap Analysis: Study the requirements of ISO 27001 ISMS Standard and actual compliances against the same in the organization
- Awareness Training: to create awareness about key concepts of ISO 27001 ISMS Standard among the organization teams
- Asset Classification: Identify critical information assets and classify accordingly
- Risk Assessment and Risk Treatment: Conduct thorough study of risks to identify weak areas and loopholes that could impact the business-critical assets of the organization. Rank the risks identified and accordingly help strategize appropriate risk treatment measures
- Documentation Support: We help in preparing appropriate of policies and procedures as required by ISO 27001 ISMS Standard
- Documentation Rollout: Releasing ISMS Documentation (Policies and Procedures). Help teams understand policies and procedures
- Training Internal Auditors: Identify the suitable team structure who can conduct internal assessment as required by ISO27001 ISMS Standard
- Pre-assessment and Certification support: Help organization to assess the results of internal assessment. Once effectiveness of policies, procedures and controls are confirmed, we extend support and handholding till organization gets certified
ISO 22301 BCMS Consulting Advisory: Business Continuity Management System involves developing a strategy to prevent and recover from an unforeseen event of incidents like fire, flood, or cyber-attack. The process involves drawing out detailed procedures and instructions for organizations to follow in an event of disasters. This will involve determining all the possible risks that could impact business operations. It is meant to help organizations continue with their operations even in the case of a major event or disaster. Business Continuity Plan is often interchangeably used with the Disaster Recovery Plan. However, it is important to note that they are different from a Disaster Recovery Plan which focuses on the recovery of a company’s IT system after a crisis.
Pratomate’ approach for ISO 22301 BCMS Consulting:
- Initial Study: to understand the business environment
- Scope Definition: to understand your business operations, controls, and systems to define the scope (People, Process, Operations, Technology, and Geographical Locations)
- Gap Analysis: Study the requirements of ISO 22301 BCMS Standard and actual compliances against the same in the organization
- Awareness Training: to create awareness about key concept of ISO 22301 BCMS Standard among the organization teams
- Asset Classification: Identify critical information assets and classify accordingly
- Business Impact Analysis (BIA): Conduct thorough Business Impact Analysis (BIA) to identify your critical services, cost of downtime, and interdependencies. It is in this phase that the RPO/RTO are identified. RPO refers to the maximum acceptable amount of data loss an application can undergo before causing measurable harm to the business. Recovery Time Objective = Downtime. RTO states how much downtime an application experiences before there is a measurable business loss
- Risks and Threat Analysis: Conduct thorough study of risks and threats to identify single point of failure and related critical dependencies
- Preparing BCM Strategy: Based on the findings of the risk and threat analysis, prepare a suitable BCM strategy which shall be implemented at various levels in your organization
- Deciding Response Strategy: Response Strategy preparation includes developing and implementing Business Continuity Management (BCM) response based on the Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO)
- Documentation Support: We help in preparing appropriate of policies and procedures as required by ISO 22301 BCMS Standard
- Documentation Rollout: Releasing ISO 22301 BCMS Documentation (Policies, Procedures, BCMP). Help teams understand policies and procedures
- Training Internal Auditors: Identify the suitable team structure who can conduct internal assessment as required by ISO 22301 BCMS Standard
- Pre-assessment and Certification support: Help organization to assess the results of internal assessment. Once effectiveness of policies, procedures and controls are confirmed, we extend support and handholding till organization gets certified
PCI DSS Audit & Certification: The Payment Card Industry Data Security Standard (PCI DSS) is a set of Information Security Standards formed in 2004 by major credit card companies including Visa, MasterCard, Discover Financial Services, JCB International, and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the Standard aims to secure the process of credit card and debit card transactions against theft/fraud. Although, the set Standard is not a legal obligation, but is a requirement to safeguard cardholder data and Debit/Credit card transactions. So, all organizations that accept and process Debit/Credit card payments are expected to undertake an annual PCI DSS Audit. This would typically include an audit of security controls and processes, covering data security such as retention, encryption, physical security, authentication, and access management.
Pratomate approach for PCI DSS Consulting:
- Initial Study: Conduct initial study to understand card processes, the technical environment and accordingly decide PCI scope.
- Scope Definition: Identify the systems that fall under the PCI DSS scope and formulate the scope statement
- Gap Analysis: Identify gaps in organization’s security control systems and environment against PCI DSS standard’s requirements
- Data Leakage Assessment: Conduct thorough data leakage assessment of systems and application and identify remediation
- Awareness Training: Conduct awareness sessions for IT Team and personnel involved in the card data processing, on key requirements of PCI DSS
- Data and Asset Classification: Identify critical information assets, data assets and classify them
- Risk Assessment and Risk Treatment: Conduct thorough study of risks analysis to identify impact the risks to business-critical assets of the organization. Prepare detailed remediation strategies including the recommendation of compensating controls as applicable that can help your organization strengthen its security posture
- Documentation Support: We help in preparing appropriate of policies and procedures as required by PCI DSS Standard
- Documentation Rollout: Releasing PCI DSS Documentation (Policies, Procedures, BCMP). Help teams understand policies and procedures
- Training Internal Assessment Teams: Identify the suitable team structure who can conduct internal assessment
- Pre-assessment, Audit and Attestation support: Help organization to assess the results of internal assessment. Once effectiveness of policies, procedures and controls are confirmed, we extend support and handholding till organization gets successfully assessed
ISO 20000-1 ITSM Consulting Advisory: ISO 20000-1 ITSM Standard is implemented to continually improve Information Technology Service Management System (ITSM). Compliance to ISO 20000-1 ITSM framework shall help deliver effective IT services.
Pratomate’ approach for ISO 20000-1 ITSM Consulting:
- Initial Study: to understand the business environment
- Scope Definition: to understand your business operations, and systems to define the scope (People, Process, Operations, Technology, and Geographical Locations)
- Gap Analysis: Study the requirements of ISO 20000-1 ITMS Standard and actual compliances against the same in the organization
- Awareness Training: to create awareness about key concept of ISO 20000-1 ITMS Standard among the organization teams
- Documentation Support: We help in preparing appropriate of policies and procedures as required by ISO 20000-1 ITMS Standard
- Documentation Rollout: Releasing ISMS Documentation (Policies and Procedures). Help teams understand policies and procedures
- Training Internal Auditors: Identify the suitable team structure who can conduct internal assessment as required by ISO 20000-1 ITMS Standard
- Pre-assessment and Certification support: Help organization to assess the results of internal assessment. Once effectiveness of policies, procedures and controls are confirmed, we extend support and handholding till organization gets certified
Technical assessment services for cyber ecurity
Technical assessment services for cyber security
Website and web application vulnerability assessment and penetration testing (VAPT): Vulnerability assessment is a systematic process of identifying vulnerabilities in systems, applications, and network infrastructures. It is a process of reviewing systems and networks that are susceptible to any vulnerability. The assessment helps the organization determine security flaws, risk exposure, and assets that are potentially exposed to Cyber Security breaches.
Penetration Test is a security testing method that involves performing a planned cyber-attack with an ethical hacker on your systems. This would typically mean performing a planned attack under controlled conditions, replicating scenarios of a real attack attempt. The test is performed to identify exploitable vulnerabilities and evaluate the effectiveness of your organization’s security posture.
Technical Assessment Services for Cyber Security
Mobile Application Security Testing Internet users are moving from desktop browsers to mobile browsers, because of the increased usage of mobile apps. Unfortunately, mobile applications are not safe; in fact they increase serious cyber security problems for the "data in transit" and the "data at rest". This has given rise to mobile app security concerns.
Technical assessment services for cyber security
Cloud as well as mobile application security testing: Now a days web applications are moving to cloud technology. This enhances the application functionality but also adds to cloud security issues. In case of a cloud hosting everything is virtual, it becomes difficult to control of the “data at rest” and “data in transit”.
Cloud computing technology offers three basic models of implementation namely Infrastructure as a service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS). Securing cloud environments is provides virtualization security, access control, data protection and other areas.
Internet users are moving from desktop browsers to mobile browsers, because of the increased usage of mobile apps. Unfortunately, mobile applications are not safe; in fact they increase serious cyber security problems for the “data in transit” and the “data at rest”.
Technical assessment services for cyber security
Web service APIs (Application Programming Interface) penetration testing: APIs often self-document information regarding their implementation and internal structure, which is widely used as intelligence for cyber-attacks. Additionally, vulnerabilities such as weak authentication, lack of encryption, flaws in the business logic and insecure endpoints make APIs vulnerable to the attacks mentioned below:
- Injection attacks: In injection attack, malicious code is embedded into an unsecured software program to attack the system. SQL injection and cross-site scripting are widely used to manipulate data or transferring non-trusted data into the API as part of a query or command resulting into a result, the attacker gains unauthorized access to information and may cause further damage.
- Denial of Service (DoS) attack: In this type of attack, the attackers mostly flood the web service with ICMP or SYN packets. When the system gets overwhelmed by the large amount of traffic which the server is unable to handle, the system eventually stops or crashes.
- Sensitive data exposure: Many times sensitive data exposure happens due to improper securing of sensitive data, lack of encryption in transit or at rest. For example, information like private health information to credit card information, session tokens, passwords, keys etc.
- Broken access control: By default, the functions and contents of a web service are accessible to only privileged users while denying access to the others. Missing, broken or inadequate access control susceptible to the attacker to gaining control of other user’s accounts, alter access privileges as well as modify data.
- Broken authentication: Due to broken or weak authentication, the attackers either bypass or take control of the authentication methods that are being used by the web service. This may lead to an attack whereby web tokens, API keys, passwords, etc. Can be compromised. Such attacks are usually used to take charge of several accounts, and also to get the same privileges as the attacked user.
- Parameter tampering: In this attack system is attacked by the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc.
- Man-In-The-Middle Attack (MITM): In this attack, the attacker secretly listens to the data transfer taking place between two systems. Confidential and important data that is being transferred can be modified or intercepted without the knowledge of either system.
Technical assessment services for cyber security
Network penetration testing: It’s a service by which corporate IT networks are scanned and tested for way to detect security vulnerabilities in an application by evaluating the system or network with various malicious techniques. Such gaps can result into exploitation and hacking of the data, which should ideally be protected by the IT networks.
Technical assessment services for cyber security
Network audit services: Network audit is a highly customized service to cater to customers who want to get their IT network assessed for design, scalability and security. IT networks keep on changing based on business needs. From cyber security point, various changes performed to network, by multiple technical teams usually lead to vulnerabilities. Hence it is always suggested to conduct network security audit to ensure proper network health to get stable, scalable and secure IT network infrastructure. Regularly scheduled network vulnerability scanning shall help an organization identify weaknesses or security holes in their network security before the hackers can plant an attack. The purpose of conducting VAPT is to find network devices that are open to known vulnerabilities without compromising IT infrastructure.
Technical assessment services for cyber security
IoT security testing services: We all know that Internet of Things (IoT) is the inter connection of disparate sensors, devices, systems, cloud & local IT infrastructure connected to the network through IP addresses. In industry it is called as Industrial Internet of Things (IIoT) which is an extension of industrial control systems like DCS and SCADA which are typically focussed on localised data acquisition, monitoring and control. Both IoT and IioT provide business edge and provides great flexibility, mobility, real time insights and decision making capability, more computing as well as analytical power, by integrating more systems, devices and people spread across the geographies. However, it also poses serious threats and risks due to lack of focus on cyber security needs during the design, engineering, deployment and sustenance. The increase of more end points and convergence of multiple systems adds to complexity and so the vulnerabilities.
Technical Assessment Services for Cyber Security
Code security review as per OWASP Open Web application security project (OWASP) recommends secure coding guidelines for applications – especially Web and mobile based applications. Adherence to these guidelines ensures development of a secure application. Performing code reviews for compliance against OWASP guidelines periodically is a highly recommended as any inadvertent introduction of a security loop hole will get detected and fixed before the attackers detect it and exploit it.
