|
|
| |
Introduction
It is extremely essential that an organization implement its security in a planned manner, by following globally accepted standards. An ad-hoc implementation of security may be worse than no security, because it may give the organization a false sense of assurance. Also, organizations must consider security as a business-enabler which will help them to deliver on their promises by ensuring the Confidentiality, Integrity and Availability of their information assets. Our security implementation exercise is based on the ISO27001 (BS7799) standard. This will be the preferred method, even if the organization is not keen on the actual certification. Following a structured methodology achieves far better results in terms of the assurance levels for the organization.
Methodology
The security implementation exercise will be carried out as per the methodology shown below:
| • |
Determine the scope of the exercise
An organization may not necessarily implement the
same levels of security across all its processes
or locations. Defining the scope of the implementation
helps us to focus on the core business activities
of the organization.
|
| • |
Identification of information
assets
Once the mission critical activities
of the business have been identified, we will determine
those information assets that are necessary to keep
the mission critical activities operational. |
| • |
Risk Assessment
From this stage onwards we will follow our standard
risk assessment methodology as detailed in the Security
Audit section. |
| • |
Risk Treatment
We will then advise the organization on how best to
treat the identified risks. We will select the controls
as per the ISO27001 (BS7799) standard and add other
specific controls that are necessary to mitigate the
risks. |
| • |
Organizational Security
Policy, standards and procedures
We will
formulate the security policy for the organization,
along with detailed procedures for users and system
administrators. As part of this stage, we will also
document a Dissemination Policy to ensure that the
various parts of the OSP are disseminated to various
end-users on a need-to-know basis. |
| • |
Implementation of controls
Once the policies, standards, and procedures have
been formulated, we will work with the client towards
implementation of various controls within the timelines
decided earlier. The core focus will be on reducing
the risk to an acceptable level, while still maintaining
the correct balance between security and business
functionality. Our team of security analysts have
expertise on a wide variety of security technologies: |
| Firewalls |
Symantec Enterprise Firewall, Symantec Gateway Security |
| Intrusion Detection Systems |
Symantec ITA, Symantec ManHunt |
| Security
Intelligence and Correlation |
e-Security, ArcSight, Symantec ESM |
| Honeypots and Honeynets |
Symantec Decoy Server |
| PC monitoring |
Spector360, SpectorCNE |
| ISO27001 |
Titanium ISO27001 tools |
| Sarbanes-Oxley (SOX404) |
Titanium SOX404 tools |
| • |
Internal Review Audit
Our team along with the system administrators from the
organization will carry out an internal security audit
in order to evaluate the effectiveness of the controls
that has been put in place. |
| • |
BCP/DRP
As an optional service,
we may also implement a Business Continuity Management
process for the client, resulting in a well-defined
Business Continuity and Disaster Recovery Plan. |
|
|
|
|
|
