TECHNOLOGY SECURITY AUDIT Helping New Jersey State & City Governments Achieve and Maintain Regulatory Compliance TECHNOLOGY Security Audit New Jersey’s State and Local Governments are required by law to deploy and maintain strong security controls and demonstrate compliance with numerous regulations -- often with limited budgets and staff. In order to maintain the public trust and enable citizens to securely access information, these government entities need to ensure that their IT systems are audited, monitored and protected. ExterNetworks has developed a comprehensive technology audit designed to ensure the health and viability of a city’s computer networks. Working closely with your internal IT department, the ExterNetwork Security Team is able to minimize your risk by identifying all areas of vulnerability, then crafting a customized wall of defense to ensure that your network is secure. How it Works The first step is to identify all computer and networking devices – including servers and workstations -- in your environment. Once this is achieved, the ExterNetworks Security Team conducts detailed Vulnerability & Penetrating Testing (VAPT) across your network(s). This includes: Open Source Security Testing Methodology Manual (OSSTMM) & National Security Agency (NSA) security guidelines Business logic vulnerability verification Security expert based manual verification for critical vulnerabilities False positive elimination Extensive years of experience of our Analysts Utilization of automated commercial, proprietary and other industry leading tools Manual testing to identify and exploit vulnerabilities Reassessment to ensure all gaps are fixed The VAPT Process Copyright © 2015 ExterNetworks Inc. All rights reserved. www.externetworks.com TECHNOLOGY Security Audit Sample Threat Modeling Prerequisites for Conducting the Audit 1. A Letter of Authorization (LOA) or email from the customer. 2. List of IP addresses or networks included in the assessment. 3. In some cases, exclusion (Whitelisting) for the perimeter filtering device needs to enable scan probes. 4. Access to the domain controller with administrative privileges. 5. VPN connectivity to perform the internal assessment. 6. Scheduled time (testing window) to perform the assessment. 7. Point of contact to communicate any emergency situation that may arise during the scan. 8. The list of personnel who should receive the final assessment report. Copyright © 2015 ExterNetworks Inc. All rights reserved. www.externetworks.com TECHNOLOGY Security Audit Audit Methodology ExterNetworks follows NSA security guidelines: http://www.nsa.gov/snac/ Application Security Verification Standard Project (ASVSP) Guidelines Covers all OSSTMM, Open Web Application Security Project (OWASP) Top Ten and all threat classes from the Web Application Security Consortium (WASC) Business logic vulnerability verification Security expert manual verification for critical vulnerabilities False positive elimination Utilization of automated commercial, proprietary and other industry leading tools Reassessment to ensure all gaps are fixed Audit Deliverables Detailed Penetration Testing Reports: Detailed Technical Report Discarding False Ppositives Comprehensive Management Report Consulting and Knowledge Transfer Copyright © 2015 ExterNetworks Inc. All rights reserved. www.externetworks.com TECHNOLOGY Security Audit About Us FISMA is the Federal Information Security Management Act of 2002. It imposes strong requirements to secure government information and holds federal agencies accountable for their success in meeting this goal. Organizations that exchange data with federal information systems also must comply with FISMA requirements and adhere to and demonstrate compliance with hundreds of controls contained in NIST Special Publication 800-53. FERPA gives parents certain rights with respect to their children’s education records. These rights transfers to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights are transferred are “eligible students.” The IRS requires state and local agencies receiving federal tax information (FTI) to protect it according to strict security guidelines established in Publication 1075. Tax Information Security Guidelines for federal, State and Local Agencies. After several years of high profile retail and payment processor data breaches, the attention toward credit card security has never been so high. Government, health clinics, hospitals and schools all use point-of-sale system to charge citizens for services. These are now primary targets of criminals looking to profit from any security hole they can find that would lead them to the credit card data they need to commit transaction fraud or identity theft. SANS TOP 20 The SANS 20 Critical Security Controls are a prioritized, risk-based approach to cyber security. The U.S. Criminal Justice Information Services (CJIS) Division requires all state and local agencies accessing or processing Criminal Justice Information (CJI) to comply with the CJIS Security Policy. Securing health care IT system is growing more demanding day by day. The security and privacy mandates of the Health Information Portability and Accountability Act (HIPPA): The new rules and regulations associated with the recent Health Information Technology for Economic and Clinical Health (HITECH) Act; and an intricate maze of state and federal laws and regulations put considerable burden on security managers in any organization that manages patient data. www.externetworks.com TECHNOLOGY Security Audit About Us Incorporated in the year 2001, headquartered in New Jersey, USA, ExterNetworks has global presence in 11 countries. With more than 650 full time employees and 1000+ field engineers, ExterNetworks is uniquely positioned with wide networking capabilities and large telecom partnerships to leverage the growing demand for distributed IT services and innovative solutions. ExterNetworks is ISO 9001:2008 DNV and US Europe Safe Harbor certified. It is also a Global Juniper Professional Services partner. ExterNetworks has its Network Operations Center (NOC) and Security Operations Center (SOC) in India (Asia) and New Jersey (North America), along with Field Operations in strategic locations such as Canada, Brazil, London, Saudi Arabia, the UAE, Pakistan and Singapore. We are a single-source technology provider, with well-developed units for key outsourcing requirements; so, now you can talk to us to deliver an all-around IT Outsourcing Package that includes IT talent management, IT management and application development. With us, you are not just getting IT Outsourcing to gain operational efficiency; we become a portable and easily scalable innovative branch to your business for competitiveness and growth. T: 1-800-238-6360 W: www.externetworks.com E: sales@externetworks.com 10 Corporate Place South,Suite 1-05, Piscataway,NJ 08854 Office : (732) 465-0001,Fax (732) 465-0005 Copyright © 2015 ExterNetworks. All rights reserved. ExterNetworks is a registered trademark of ExterNetworks Inc. All other product or company names are used for identification purposes only, and may be trademarks of their respective owners. www.externetworks.com