ISO 27002:2015 Based Cyber Security Testing Program

This program is based on open standards generally recognized and being built off of today’s current best security practices. m3ip will provide annual of pro-active security techniques and analyze that will meet all of today’s current regulatory compliance demands. We will assist you in building and maintaining a change control and patch management plan for your organization as well as assisting you with policy review and revisions. We will help identify what you need to do immediately to comply and will assist you to set goals for long term compliance. We implement a complete plan for long term security to help you evolve as

regulations change. We also assist our clients in tracking changes in the plan and assess its long-term effectiveness. This service is based on the current security best practice methodologies and modeled after:

        • Confidentiality
        • Integrity
        • Availability

This program is based on current best security practice methodologies and modeled after the     ISO 27002:2015 framework.

  • Annual Cyber Security Program includes the following components:

    • Quarterly cycle testing and review of your computer, virtual and network infrastructure;

    • Social Engineering Testing - Real-world phishing scenario pre-determined with senior management;

    • OWASP Web Application Testing;

    • Nexpose Security Console External Vulnerability Assessments;

    • Metasploit Professional External Penetration Tests;

    • Netsparker Application External Intrusion Tests;

    • Nexpose Security Console Internal Vulnerability Assessments;

    • Metasploit Professional Internal Vulnerability Validation Tests;

    • Executive Summations and Results Reports with Remediation

    • Review of current cyber security controls;

    • Review of current best practices.

    ISO 27002:2015 Based Security Assessment

    • An information technology ISO 27002:2015 security assessment is a systematic, measurable technical assessment of how an organizations security policy and procedures are employed at a specific point in time.  Our security consultants work with the full knowledge of the organization at times with considerable inside information, in order to understand the resources to be assessed.  An assessment of an information infrastructure involves testing for various vulnerabilities, looking at the overall design of the information systems and overall resistance to social engineering tactics.  This assessment consists of security checklists and questionnaires covering networks/LANs, firewalls, internet access, data access, virus management, etc. As part of the assessment, policies, procedures and enterprises are reviewed for compliance with current best practices, standards and regulations.  Network and system infrastructures are evaluated, vulnerabilities are identified, and existing safeguards are validated using the ISO 27002:2015 framework.  The results of this assessment will allow the organization to identify concerns and select an appropriate level of response associated with its Internet-related services.   

    • Comprehensive review of security management controls
    • Network and system access control review
    • Escalation of privileges
    • Change control
    • Recommendations and remediation

 Social Engineering Testing

  • We will develop a detailed Social Engineering Test using real-world spear phishing test that are reviewed and pre-determined with senior management participation. Clearly defined objectives are a must for a useful social engineering test. "Obtain sensitive information" is usually too vague, and presents opportunities for blame, hurt feelings and lawsuits. Consider tying your goals to the controls the organizations defined in its security program to meet defined requirements.

    • Purple Team Based Social Engineering Campaign - Real-world social engineering campaign scenario. This type of test exists to ensure and maximize the effectiveness of the institutions defenses. This is achieved by integrating the defensive tactics and controls from the institution with the threats and vulnerabilities found by m3ip.

      • Objective of this campaign is to elevate privileges and/or to “plant a flag” in order to breach the Bank’s cyber security general controls.

      • Attempt to “socially engineer” employee(s) to divulge sensitive information and/or grant/gain access to sensitive areas/resources using “social engineering” methods via:

        • Physical appearances;

        • Information Gathering;

        • Verify “clean desk” policies;

        • Pre-text calling based on OSINT findings

        • Email communications;

        • Telephone conversations;

        • USB Baiting;

        • Tailgating;

        • Verify security of wireless guest access;

        • Email phishing campaign.

          Another aspect of social engineering relies on people's inability to keep up with a culture that relies heavily on information technology. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it.

          Frequently, social engineers will search dumpsters for valuable information, memorize access codes by looking over someone's shoulder (shoulder surfing) or to take advantage of people's natural inclination to choose passwords that are meaningful to them but can be easily guessed.

        Disaster Recovery Planning & Development

Industry experts say only six percent of businesses that suffer a catastrophic loss of data, stay in business. m3ip can assist your institution in minimizing your risk so you don't become a statistic with the following (4) project modules as part of a comprehensive DRP:

  • Business Continuance Requirements - Meetings with key staff and division managers are used to discuss the initial understanding of the application recovery requirements and to further define business continuance requirements within each division or business function.

  • Recovery Strategy Options - Upon gaining an understanding of the business continuance requirements, high-level application recovery scenarios are defined which will provide an estimated range of the costs associated with the recovery strategy options.

  • Disaster Recovery Outline - The Disaster Recovery Outline is created to document the next steps required to develop the Disaster Recovery Step-by-Step Recovery Procedures document. This document serves the purpose as an outline to guide you with requirements for obtaining agreements and pricing from vendors, partners, and any other parties which could be involved in the event of a disaster, as well as to assist in developing the actual procedure to be performed.

  • Disaster Recovery Step-by-Step Recovery Procedures - Step-by-step procedure document to outline what needs to happen in the event of a disaster.

GLBA Compliance Risk Analysis & Audit

Comprehensive FFIEC security analysis and audit. This deliverable involved the comprehensive review of both internal and external security controls, operational procedures, and policies as compared to financial and regulatory standards and better practices. This engagement resulted in the identification of a number of significant security vulnerabilities, tactical recommendations for the remediation of each, and a strategic roadmap for the client to reach GLBA compliance.  The Gramm-Leach-Bliley Act (GLBA) requires U.S. financial institutions to ensure the security and confidentiality of customer records and information. The U.S. Department of Treasury distributed guidelines to address standards for developing and implementing safeguards to protect the security, confidentiality and integrity of customer information. The deadline for compliance was July 1, 2001.  Institutions must regularly test their information security procedures and controls. GLBA guidelines give the institutions some flexibility on the test frequency, based on the results of the required risk analysis and assessment.  Areas of concern and analysis were:

    • Security Compliance Review Using FFIEC Scoring Methods

    • Infrastructure Topology Review

    • Reviews of Internal Operational Controls and Procedures

    • Physical Security Assessment

    • Documenting and enforcing security policies based on business objectives and management commitment

    • Implementing a security management process

    • Establishing security awareness training programs

    • Controlling user access to sensitive information

    • Building encryption modeling

    • Providing security incident response and reporting procedures

    • Monitoring and enforcing security policy and technical compliance

      HIPAA Compliance Risk Analysis & Assessment

      This offering involves the review of both internal and external security controls to establish an overall program to control risk. HIPAA risk management includes not only risk analysis but also manages and tracks the controls that are put in place as a result of the recommendations that evolve from the deliverable report.  The goals of the assessment were defined as:

    • Inventory risks to the ePHI and medical records using industry standard risk determination matrix’s based on either qualitative or quantitative analysis methods

    • Identify the threats to these records and systems

    • Document vulnerabilities of the systems they are stored and manipulated by

    • Determine safeguards for mitigating these risks

    • Scoping the subject of the threats

    • Assigning risk levels

    • Enforcing safeguards with policies

      HIPAA Gap Analysis

      This engagement involves the review of both internal and external security controls to establish an overall program to identify gaps in compliance. As part of the gap analysis engagement, the current state of policies, procedures and operations were reviewed for compliance with the Health Insurance Portability and Accountability Act (HIPAA) final Security Regulations.  The result of this analysis allowed management to identify areas where gaps exist between regulatory specifications and current organizational policies and practices. The goals of the analysis were defined as:

    • Gap Analyses (Current State vs. HIPAA Security Standards)
    • HIPAA Security Rule Readiness Overview
    • Summary Matrix of Organizational Compliance/Gaps
    • Summary Roadmap of Remediation Activities to Close Compliance Gaps
    • Compilation of Raw Data, Questionnaires and Interviews