SECURITY ASSESSMENT

Security assessments should be conducted on a regular basis, and should be included in the strategy. Major international standards include third-party assessments as an important requirement. The goal of assessments is to ensure that necessary and adequate security controls are implemented to protect information assets from unauthorised access, use, disclosure, disruption, modification, recording or destruction.

We, at Forebrook, conduct comprehensive assessments based on best-practices and international standards. In addition to using latest tools for vulnerability assessments, we also check, inspect, observe and analyse information systems in a holistic manner covering technology, people, policies, processes, procedures. As an integral part of assessments, we conduct interviews with individuals and groups in the organisation to understand the infrastructure, security objectives and strategies, and assess security controls for effectiveness and adequacy. Additionally, penetration tests will be conducted for public-facing IPs.

Our Security/Risk Assessments culminate in extensive reports and recommendations for remediation along with roadmaps to implement controls.

A typical assessment covers more than 25 areas including:

  • Security Policies
  • Data Classification
  • Risk Management
  • Topology, Data Flow
  • Access Control
  • VPN/Remote Access
  • Network Access Control
  • Application Configuration
  • Database Configuration
  • Change Control
  • Patching & Anti-Virus
  • Logging / SIEM
  • Intrusion Detection
  • Physical Security
  • BCP/DR

HOW WE CONDUCT AN ASSESSMENT

Survey and Data Gathering

Consultants will examine all the components in the IT infrastructure and acquire data by:
* Physical survey of data centres
* Interviews with IT staff
* Inspection of systems, configuration data, etc.

Documentation

All the details collected will be collated and documented. Work products in this phase include:
– Documentation of servers, networks, applications, services, etc.
– Topology and connectivity diagrams
– Server and equipment lists.

Assessment

Adequacy of controls will be tested against:
* Controls based on standards (PCI-DSS / ISO27001)
* Test nearly controls in various security domains
* Technology assessment: using VA tools

Reports

Summary and detailed reports will be compiled that will show the present state of security in the organisation.

Recommendations

Based on the assessment and business requirements, recommendations will be made, which:
– Highlight areas which require immediate action
– Configuration changes or upgrades to systems
– Implementation of controls hitherto not implemented

Presentation

The assessment will culminate in:
* Presentation of findings
* Discussion of recommendations
* Workshop with tech and admin teams

Why We Are Different

Experienced Team

 Our consultants have hands-on experience in IT-operations having designed, implemented and managed sizeable and complex IT infrastructures.

Standards Based

Our assessments are based on international standards and frameworks and controls are evaluated according to industry best-practices.

Bespoke

Every single assessment that we undertake is bespoke. We consider factors such as organisational culture and issues, constraints specific to each infrastructure.

Actionable Reports

Instead of reams of paper that nobody reads, our recommendations are detailed and specific statements, which include implementation roadmaps.

Infographics

Sample Deliverables

Reports

Summary and detailed reports on the state of security pointing out adequacy of controls implemented.

Gap Analysis

Gap analysis against established standards such as ISO27001, PCI etc.

System Documentation

Asset inventory: servers, storage, backup, network equipment, cloud assets.

Diagrams & Infographics

Network Topology, Server Architecture, etc.