|
|
|
Services |
Information security governance |
National privacy policy due diligence auditing |
As of 21 December 2001, all organisations are required to comply with the National Privacy Policies, which include a specific Data Security module. This module is referred to as NPP4 Data Security.
The development of information technology and the Internet has dramatically increased the quantity of information available in digital form. This proliferation of digital information affects all facets of the private and commercial community and puts individuals at risk of having their personal information shared unduly.
Paper based systems provide a certain level of privacy protection, however their inherit limitations have forced the migration of personal information into IT systems, this has major implications for the privacy of individuals.
The act has two major points:
4.1 An organisation must take reasonable steps to protect the personal information it holds from misuse, loss and unauthorised access, modification or disclosure.
4.2 An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for the purpose for which it was originally collected.
Companies which fail to comply with the NPP4 can and will be prosecuted. Senior managers are considered to be personally liable for the security of the personal information help by their company of employment.
Sentinel Data Security provides a "signing off" service in which we confirm a company's compliance with relevant policies.
|
Policies, procedures and guidelines development |
Your security policy serves as a map for your organisation, demonstrating ways to protect itself from internal and external attacks as well as employee mistakes.
Information security policies support the security and management of information resources, they are the foundation, the bottom line, of information security within your organisation.
The security policy for an organisation is comprised of a collection of documents including the policy itself, procedures, guidelines and standards. These documents provide an organisation with a broad summary of their security as well as the step-by-step installation details of the particular system.
These policy documents address the need to protect personnel, information and property assets. Furthermore they provide management with detailed action plans which can be employed in the event that a company's information assets or activities are in jeopardy.
Sentinel Data Security closely aligns its policy frameworks with the Australian and International legal standards (AS/NZS 4444 & ISO 17799). This will ensure that the organisation meets its legal requirements, adheres to its industry best practices act and is up to international standards, while protecting itself from potential threats.
Incident Response Policy:
Managing the aftermath of an attack requires a high level of security expertise to ensure that disaster recovery and forensics investigations are successful. Sentinel will inform clients of how the attack was perpetrated and advise companies on ways to re-establish the integrity of their network or system. Sentinel can also conduct computer fraud investigation and gather evidence to help with prosecution.
Disaster Recovery Procedure:
Organisations must develop a comprehensive disaster recovery plan.
It is imperative for organisations to develop a comprehensive disaster recovery plan. The disaster recovery plan should cover all essential and critical business activities.
This DR plan should be periodically tested in a simulated environment to ensure that it can be implemented in emergency situations and that all employees are confident in executing the procedure should the need arise. These procedures must be kept up to date evolving and advancing along with the changing circumstances of your company. Naturally, staff must be made aware of the recovery procedure(s) and their personal role as well as be informed of any amendments made to the plan.
|
Vulnerability assessment |
Penetration testing |
Penetration testing involves combining a Security Architectural Review and a Vulnerability Assessment, by doing so gives Sentinel Data Security the ability to assess the overall security of the information system.
Sentinel Data Security Penetration testing is undertaken to inspect and test out the effectiveness of your company's security policies and procedures, network topology, system design, and staff responses.
Our Penetration testing methodology is designed to simulate a thorough 'real-world' attack by applying the same techniques commonly used by attackers.
External Penetration Testing
While internal and external vulnerability assessments identify your network's security weaknesses by scanning network assets, external penetration testing goes further by forcing a path into your network and exposing miss-configuration's and holes. Revealing these holes will demonstrate the possible ramifications to your reputation and information assets should your company fall victim to attack.
These tests are custom designed to cover whatever system platforms, network devices, software or applications comprise your IT infrastructure and assets. This form of testing is very comprehensive, not only does it exhibit an intruders view of your system it also examines its configurations and management.
Internal Penetration Testing
Internal penetration testing is a procedure by which Sentinel Data Security demonstrates to your company the results of an attacker perpetrated from within.
These types of attacks are generally carried out by disgruntled employees. However this is not always the case, causes can be anything from incorrectly configured servers to inadequate password protection at workstations, or a failure to install the appropriate security patches on a particular program.
All of these problems can arise from within your company's internal network, either through malicious intent or simple incompetence. By putting your internal network through its paces, you will be able to identify and rectify any security weaknesses before they cause problems.
Deliverables:
Sentinel Data Security identifies existing vulnerabilities both system specific and architectural, we will then recommend suitable countermeasures and solutions for all sighted liabilities. This will mitigate the risk of your company suffering loss of integrity, confidentiality and key information assets.
Sentinel Data Security will establish a baseline of the tested network, the hosts and services available to potential attackers. This baseline enables you to better manage risk and make appropriate alterations as technology evolves and your information assets change.
Advantages:
In order to maintain the necessary level of security your company must continually assess its vulnerability, penetration testing is essential. Sentinel provides advanced reporting on your company's susceptibility to attacks as well as proactive security trend analysis.
The format and content of these reports is reader-friendly, ensuring that appointed personnel are able to recognise and remedy identified weaknesses. Also included in the report is an executive summary, negating the need for management to read the entire report in order to recognise the implications of its findings.
|
Network design audits |
Initially, Sentinel will evaluate your company's network infrastructure in order to improve security accordingly and to maximise reliability and productivity. Then, based on a classification of services and their role within your network, Sentinel can separate servers into different zones in order to reduce the impact should a security breach occur.
|
Social engineering |
Social engineering is the term given to the art of exploiting the human weakness of trust. In practice, this can include tricking employees into divulging confidential information such as passwords, access codes or system information. Often attackers are able to glean sufficient information by unsuspecting and untrained staff that they are able to use this technique to compromise a company's security.
Sentinel is able to 'test' your company by employing the methods typically used, in order to assess your staff confidentiality training levels and physical security policies.
|
Application source code audits |
Sentinel Data Security Application Architectural Review service identifies vulnerabilities in your software by analysing the overall design of the system as well as the source code its self. This analysis identifies the key areas of the application architecture and design which pose the greatest risk to an application.
Sentinel's Source Code Audit thoroughly reviews the source code of your application; it prioritises vulnerabilities and offers solutions for threat reduction.
Sentinel combines automated analysis with manual human analysis, returning a thorough result ensuring code correctness and security.
The discovered flaws and mitigation information helps developers avoid the discovered programming pitfalls in the future.
|
Response management |
Forensics |
Modern technology combined with our advanced forensic techniques enables Sentinel to provide your company with fast and reliable forensics data analysis in the event of a system security breach.
|
Anton Pillar search orders |
Anton Pillar search orders give a copyright owner the ability to obtain a federal court order allowing them to enter the premises of any parties which are suspected to be infringing upon their copyrights. This legislation gives Sentinel staff enormous power when it comes to the seizure of data and forensic investigation.
|
Network/system forensics |
Should a security breach occur, Sentinel will analyse the available data, tracing it back to the source of the attack. By tracing the attack to its root, Sentinel are able to identify and record any 'footprints' the attacker may have left, evidence which can be required to take responsive legal action.
|
|
