IDP Professional Services & Capability Summary:
Click on link for more in-depth information.
Network Penetration Testing Services
Website Penetration Testing Services
Compliance Assessments
IT Governance Consulting Services
Enterprise Security Audits
Network Penetration Testing Services
The changes you make to your network on a day-to-day basis can increase the risk of compromise to your
critical information and systems. Changes such as providing intranet access to a strategic partner,
deploying new applications and implementing new technology can go undiscovered, introducing unacceptable
levels of business risk into your environment. IDP can help!
IDP’s penetration testing services can give you a quick and detailed analysis of your current external
(and internal) exposure to breaches that threaten critical information and assets. This is an essential first
step for governments and businesses worldwide in determining the necessary next steps for maintaining the
security levels mandated by common standards such as ISO 17799/BS 7799, Sarbanes-Oxley, HIPAA and the
Payment Card Industry Data Security Standard.
The Benefits
-
Find out exactly what potential security vulnerabilities are present on your network perimeter.
-
Get practical and relevant technical information on how these vulnerabilities can be remediated.
The Details
By analyzing your network, IDP can provide an accurate evaluation of the vulnerabilities on your Internet
facing hosts, as well as hosts on your internal network. IDP will test your systems to determine if
vulnerabilities are present and what the likelihood is your systems will be attacked by known exploits,
automated malcode threats or malicious Internet users. Specifically, IDP will verify which systems on your
network are active and what services are running. Our security analysts will identify potential security
vulnerabilities and provide relevant technical information on how these vulnerabilities can be fixed.
Vulnerabilities will be rated by severity to help you quickly identifying the level of security threat
these vulnerabilities pose and then priorities the issues for mitigation.
Our Approach
-
Perform a pre-test validation scan to determine the number of live hosts and to confirm access to
the target IP address ranges.
-
Attempt to identify the most vulnerable entry point on your network perimeter.
-
Attempt to exploit the vulnerabilities identified.
-
Report our findings and make recommendations for fixing vulnerabilities before they become a real problem.
The penetration test will include both manual and automated tests including:
-
Port scanning and banner capture to identify services available on hosts
-
Vulnerability assessment of identified services
-
Firewall checks pertinent to the type and release of firewalls employed by the business
-
Password authentication tests
-
Network protocol based tests
-
Protocol spoofing checks
-
Network device checks
-
Mail relay checks
-
Wireless checks
-
DNS checks
-
VoIP checks
Website Penetration Testing Services
As many as 70% of web sites have vulnerabilities that could lead to the theft of sensitive corporate
data such as credit card information and customer lists.
Website security is possibly today's most overlooked aspect of securing the enterprise and should be a
priority in any organization. Hackers are concentrating their efforts on web-based applications -
shopping carts, forms, login pages, dynamic content, etc. Web applications are accessible 24 hours a day,
7 days a week and control valuable data since they often have direct access to backend data such as
customer databases. Firewalls, SSL and locked-down servers are futile against web application hacking
Any defense at network security level will provide no protection against web application attacks since
they are launched on port 80 - which has to remain open. In addition, web applications are often tailor-made therefore tested less than off-the-shelf software and are more likely to have undiscovered vulnerabilities. IDP will evaluate and analyze your web applications for SQL Injection, XSS & other web vulnerabilities.
IDP’s penetration and assessment services include:
-
An automatic client script analyzer allowing for security testing of Ajax and Web 2.0 applications.
-
In-depth SQL injection and Cross site scripting testing.
-
Advanced penetration testing tools, such as a HTTP Editor and the HTTP Fuzzer.
-
Visual macro recorder makes testing web forms and password protected areas easy.
-
Support for pages with CAPTHCA, single sign-on and Two Factor authentication mechanisms.
-
Extensive reporting facilities including PCI compliance reports.
-
Multi-threaded and fast scanner crawls hundreds of thousands of pages with ease.
-
Intelligent crawler detects web server type and application language.
-
Crawling and analyzing of websites including flash content, SOAP and AJAX
-
Port scans a web server and runs security checks against network services running on the server.
Compliance Assessments
HIPAA
In recent years, there has been an increased dependence on web-based information systems within the healthcare
industry. This new form of healthcare information access and communication has come at a price. This price comes
in the form of security vulnerabilities in web applications. Practically all recent statistics point to web
applications as being one of the greatest risks to information.
HIPAA, among other things, mandates the privacy and security of PHI from the various threats and vulnerabilities
associated with information management. As it relates to web application security, IDP will access HIPAA security
compliance using best practices including:
-
Risk analysis to determine what applications and data are vulnerable
-
Proper authentication, access control, and logging systems
-
Ongoing auditing of information systems to test for newly discovered vulnerabilities
Sarbanes-Oxley (SOX)
Sarbanes-Oxley is all about accountability. It requires that C-level officers of publicly traded companies
personally sign off on the accuracy of financial reports and demonstrate that they have a sound series of
internal controls.
Sarbanes-Oxley’s audit requirements mandate security for networked systems and financial data.
The Sarbanes-Oxley provisions (below) invite a process-based solution, rather than a turnkey one.
-
Section 302 requiring executives to certify the accuracy of corporate financial reports
— and that they have mechanisms in place to assure data integrity and to protect against fraud.
-
Section 404 requiring executives and auditors to confirm the effectiveness of internal controls for
financial reporting — requiring an annual assessment of controls and external verification or opinion
on the accuracy of that assessment.
-
Section 409 requiring disclosure to the public on a “rapid and current” basis material
changes to the firm’s financial condition.
-
Section 802 mandating the protection and retention of financial audit records — requiring
security for those records and criminal penalties for altering documents.
IDP assists clients attain and maintain compliance with Sarbanes-Oxley by performing:
-
Pre-Audit SOX Security Assessments — By having IDP conduct a security assessment before the
compliance audit; clients are able to establish a standard of due care and build a defensible case for their
internal controls and implementation decisions for compliance with Sections 302 and 404.
-
Managed Security Services for continued compliance with Sections 404 and 409 for 24x7 monitoring of
networked information systems.
-
SOX Security Reports for a demonstrable record of compliance with Sections 409 and 802 by providing
compliance reports, including a Defensible Position Portfolio.
Payment Card Industry (PCI) Data Security
Major credit card companies have instituted new mandatory compliance programs that require most businesses
that store or transmit cardholder data to adhere to the Payment Card Industry (PCI) Data Security Standard.
Data transmitted or stored via Web site, Shopping Cart, e-Mail, Point-of-Sale systems, and customer databases
must be protected.
Compliance with the PCI standard requires a detailed, ongoing program involving no less than:
-
An annual assessment
-
A time-sensitive detailed plan to achieve 100% certification
-
Quarterly vulnerability assessments conducted by a PCI-certified third party
IDP provides comprehensive PCI assessment services encompassing an organization’s network,
its applications and its underlying databases.
IT Governance Consulting Services
IDP assists businesses and governmental entities develop, document, train and implement global policies and
procedures to support their IT Governance Strategy. IDP employs best practices based on the framework and
methodologies set forth by COBIT and ITIL.
Now more than ever, information and the technology that supports it represent a business’ most
valuable assets. Key to protecting those assets is the need to understand and manage the associated
risks – both to the information itself and the underlying technology.
Assuring the value and availability of IT, the management of IT-related risks and the increased
requirements for control, protection and security over information has become generally accepted as
key elements of effective enterprise governance. Value, risk and control constitute the core of IT governance.
Control Objectives for Information and related Technology (COBIT®) provides a framework from which
businesses can develop robust IT governance. It does this by ensuring that:
-
IT is aligned with the business
-
IT enables the business to operate effectively and achieve its goals
-
IT resources are used responsibly
-
IT risks are managed appropriately
The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and
maturity models to measure their achievement, and identifying the associated responsibilities of business
and IT process owners.
The process focus of COBIT is based on a process model that subdivides IT into four domains and 34 processes.
The four domains are:
-
Plan and Organize (PO): Provides direction to solution delivery (AI) and service delivery (DS).
-
Acquire and Implement (AI)—Provides the solutions and passes them to be turned into services.
-
Deliver and Support (DS)—Receives the solutions and makes them usable for end users.
-
Monitor and Evaluate (ME)—Monitors all processes to ensure that the direction provided is followed.
ITIL® is a consistent and comprehensive documentation of best practice for IT Service Management.
It is used by thousands of organizations around the world.
ITIL provides guidance on the provision of quality IT services, and on the accommodation and environmental
facilities needed to support IT. ITIL has been developed in recognition of organization’s growing
dependency on IT and embodies best practices for IT Service Management.
ITIL provides a systematic and professional approach to the management of IT service provision. Adopting its
guidance offers users a huge range of benefits that include:
-
reduced costs
-
improved IT services through the use of proven best practice processes
-
improved customer satisfaction through a more professional approach to service delivery
-
standards and guidance
-
improved productivity
-
improved use of skills and experience
-
improved delivery of third party services through the specification of ITIL or ISO 20000 as the
standard for service delivery in services procurements.
Enterprise Security Audits
IDP assists clients design, implement and conduct Enterprise Security Audits in these key areas of the organization:
-
Asset Protection
-
Internet Security
-
Intranet Security
-
Wireless and Remote Access
-
IT Policy and Procedure Development
-
Email Security, Retention and Availability
-
Physical and Infrastructure Threat Assessments
-
Information Security - Authentication, Access and Availability
-
Backup and Recovery - Business Interruption – Business Continuity
Value Proposition

|
|
 |
|
|
|