Risk Assessment and Compliance

Cyber Security Risk Assessment and Compliance Practice

Managing cyber security risks and the ever-changing threat landscape is a major challenge for customers today. Our portfolio of assessment services is designed to help you proactively identity risks to your business-critical applications and improve your cyber risk posture to protect your data and your customers.

A) FFIEC Readiness Assessment

The Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool to help institutions identify their risks and determine their cybersecurity preparedness. The assessment provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.

Complying with the FFIEC guidance is becoming a mandatory requirement for all types of financial institutions including banks, mortgage lenders, credit unions, thrifts & community banks.

Our FFIEC readiness assessment comprises of two parts: Inherent Risk Profiling and assessing Cybersecurity Maturity.

Inherent Risk Profile identifies the institution’s inherent risk before implementing controls. We first assess the institution’s inherent risk profile based on five categories:
– Technology & Connection Types
– Delivery Channels
– Online/Mobile Products & Technology Services
– Organizational Characteristics
– External Threats

We next evaluate the institution’s Cybersecurity Maturity Level across five core domains that are aligned with the NIST cybersecurity framework.

timeline-new

B) Network Vulnerability Assessment & Penetration Testing Services

Vulnerability Assessment and Penetration Testing (VAPT) are integral components of a threat and
vulnerability management process. They help identity information security weaknesses and protect
valuable assets. According to the SANS institute, “Vulnerabilities are the gateways by which threats are
manifested”. Vulnerability assessments and pen tests need to be performed periodically to ensure
continuous security posture improvement.

Our vulnerability assessment identifies and quantifies security vulnerabilities in your environment. It is
an in-depth evaluation of your information security posture, indicating weaknesses as well as providing
appropriate mitigation procedures required to either eliminate those weaknesses or reduce them to an
acceptable level of risk.

Our penetration test simulates the actions of an external and/or internal cyber attacker that aims to
breach the information security of your organization. Using many industry standard tools and
techniques, our penetration tester (ethical hacker) attempts to exploit critical systems and gain access
to sensitive data. Our Pen tests can include both white box and black box testing services.

Key components of VAPT include vulnerability against XSS, CSRF, SQL injections, static & dynamic
analysis, application of payloads and exploits and use of manual & automated scripts. We leverage a
variety of industry standard tools, scanners and traffic analyzers for network & security testing and
penetration testing.

Our security testing practice leverages industry standard framework including
– OWASP Top 10
– SANS
– NIST

A comprehensive suite of reports that summarize the vulnerabilities and their severity levels along with
recommendations for risk mitigation and remediation are provided as an output of this survey.

C) Application Security Testing Services

Our Application Testing Services provide customers with security testing and vulnerability management
expertise to nurture a robust software security assurance program. It includes static and dynamic testing
of web and mobile business applications that are critical to your business. Identify critical security issues
early in the development cycle and prioritize remediation efforts across multiple teams and applications.

Web Application Security Testing

Websites and internet-facing software applications are prime targets of cybercrime with intents of
identity theft, data breach, service disruption and theft of intellectual property. Besides, malware
writers target any web application to mount malvertising and drive-by attacks. We perform multi-aspect
exploitability assessments and security reviews to address issues that can impact reliability of your
production applications

Mobile Application Security Testing

Mobile apps are prone to both inherent platform-based unpatched vulnerabilities and flaws in
configuration or deployment. Our teams have assessed hundreds of popular Android apps with a view to
rate their security posture. We apply this battle-hardened expertise to help validate that your brochure
apps, utility apps, data apps and transactional apps are reliable and secure.

Coverage areas for Vulnerability Testing for Web & Mobile Applications
– Authentication and Session Management
– Data Validation
– Exploitable Information Leakage/ Reconnaissance risks
– Transport Layer Protection and Cryptographic Key Storage
– Code injection and cross-site scripting attacks
– Error and Exception Handling
– Business Logic Flaws
– Payment Card Information Handling
– Authorization, Identity and Access Control Design
– Binary and Code Reverse Engineering Protection
– API syncing and granularity of app permissions
– Secure App Development and Code Review

Key benefits of application testing security services include enhanced security and data protection,
reduce operating risks through actionable analytics, & remediation advise to drive secure coding best
practices.

D) BCP/DR Readiness Assessment

Our BCR/DR assessment services are designed to help organizations achieve operational continuity while
ensuring compliance with industry specific regulatory frameworks. It will help enterprises deliver
business continuity with proactive and event driven services that are aligned with customer recovery
time and recovery point objectives.

Key Components of BCP-DR Assessment:

Assessment has been structured into 4 phases with specific deliverables at the end of each phase:
1. Current Maturity Assessment
2. End state definition and road map to achieve end-state
3. Maturity Assessment Report
4. Pragmatic high level actionable guidelines

Assessment focuses on multiple domains:
– Organizational Business Continuity and Disaster Recovery Framework
– Policy & Plan Reviews
– Risk & Threat Assessment
– Business Impact Analysis and the corresponding resilience posture
– Readiness of support groups (HR, Corporate Finance, and Facilities etc.)

Remediation services can include performing mock disaster and recovery exercise and table top
simulations to build readiness and operational resilience.