ISO 27001 Consulting

,

ISO 27001 Gap Analysis, ISO 27001 Risk Assessment & ISO 27001 Compliance services

ISO 27001 Implementation Services

Customers subscribe to our ISO 27001 Implementation and Certification service to build an effective and usable Information Security Management System. ValueMentor focuses on ensuring that the ISMS is repeatable, effective and provides compliance with regulations such as IT Act, ISR etc. This means our ISMS implementation will not only get you ISO 27001 certified but also ensures that it is relevant from your organization’s context and meets your compliance requirements.

ValueMentor team is up of subject matter experts, strategy experts and technical / operations experts. To build an ISMS for your organization, ValueMentor consultants will learn your business, your vision and the information security requirements of your business along with the compliance needs.

Turnkey ISO 27001 ISMS Service

ValueMentor helps you implement ISMS based on the ISO 27001 standard which is certifiable from ground up. This process includes a number of stages and various levels of engagement. This allows us to identify the current stage of your ISMS and choose the right level of engagement for your organization.

Expert ISO 27001 Consultants

ValueMentor team can help you implement the ISO 27001 standard within, as low as, 4 months

iso-27001-phases

Scoping & ISO 27001 Awareness

Defining the scope of your ISO 27001 certification is critical in developing the ISO 27001 success plans. A detailed ISO 27001 scoping excercise identifies the Information environment to be protected and identifies the internal and stakeholders of the project.

ISO 27001 GAP Assessment

If you are considering the ISO 27001 implementation, the first step to perform is an ISO 27001 GAP Assessment. Our ISO 27001 GAP assessment service is focused on providing clarity on the current state and the level of effort that is needed to achieve ISO 27001 certification.

ISO 27001 Risk Assessment

Risk Assessment helps the organization to find the information risks of your information assets. ISO 27001 Risk Assessments are one of our most used service engagements. Our proven process helps you identify the assets in-scope and the associated threats and vulnerabilities, then utilize a proven risk management framework to provide you with clarity on your ISMS security risk levels, meeting the risk assessment requirements of ISO 27001.

ISMS Policies & Documentation

PCI Awareness among the staff is a key factor in a successful PCI Audit. Our PCI Training and Awareness service include Classroom and Online training, periodic evaluation and certification on PCI Awareness for every individual participating in the program.

ISO 27001 Security Awareness

Security Awareness among the staff is a key factor in a successful ISMS. Our Security Training and Awareness service include Classroom and Online training, periodic evaluation and certification on Security Awareness for every individual participating in the program.

ISMS Internal Audits

One of the key step towards ISO 27001 certification is the Internal Audit. Many of our clients do not have an ISO 27001 auditor on staff and we step in to help our clients do the ISO 27001 internal audits. Our audit team performs the internal audit on behalf of you and help you better position for your ISO 27001 certification.

ISO 27001 Certification Audit Support

ISO 27001 certification audits are always challenging. Our experts will participate in the ISO 27001 Certification audit along your staff members. We will make sure that the audit is performed in a logical and reasonable manner and ensure that all external auditor concerns are addressed.

PCI DSS Compliance

,

ValueMentor and Panacea InfoSec have joined hands together to provide an End-to-End PCI DSS Consulting and Certification service. Our PCI Compliance team is made up of PCI QSAs, subject matter experts, strategy experts and technical / operations experts. As a leading PCI DSS compliance service provider, we are ideally placed to help you become compliant and stay compliant with this standard.

All organizations that store, transmit or process cardholder information need to comply with the standard. ValueMentor provides PCI DSS compliance assessment service.

When your organization is ready for certification audit, Panacea will deploy its PCI Audit team of QSAs to perform the onsite PCI Audit. These audit reports are subject to internal quality checks and post the successful completion of which a Report on Compliance (RoC) will be issued to the client. Additionally, our team will submit appropriate documentations to the card brands. A website seal will also be provided to the client.

PCI DSS Scoping to PCI Compliance Certification

ValueMentor and Panacea team can help you sail through the complex stages of the PCI compliance process and lead you to obtain PCI Certification

Scoping & PCI Awareness

Getting the scope of your payment system audit project right is key to ensuring that you achieve compliance in an efficient and cost effective manner. We are ideally placed to carry out scoping activities either in the initial stages of a PCI DSS audit project or as the project progresses.

PCI DSS Penetration Testing

Our security analysts can perform the annual PCI Penetration Tests and Quarterly PCI Scan. An annual programme of penetration testing and vulnerability assessment (PCI Scans) to help you meet PCI DSS requirements and assess the security of your applications and networks.

PCI DSS GAP Assessment

Performing PCI DSS Gap Assessment is seen by many as one of the first steps along the way to PCI DSS compliance. A PCI gap analysis provides a more detailed and itemized report showing how you are currently managing each control area against the PCI DSS compliance requirements.

PCI Training & Awareness

PCI Awareness among the staff is a key factor in a successful PCI Audit. Our PCI Training and Awareness service include Classroom and Online training, periodic evaluation and certification on PCI Awareness for every individual participating in the program.

PCI Remediation Support

The areas of concerns and remediation plans are identified & developed during the PCI DSS Gap Assessment phase. Our PCI Implementation team acts as the Trusted Advisors to provide ongoing support and guidance through the remediation phases of a PCI DSS compliance project.

PCI QSA Audit

Once the PCI Implementation is complete, our PCI QSAs can prepare you for the PCI QSA audit. We as Qualified Security Assessors (PCI QSA), also complete the final QSA audit for you and liaise with your acquiring bank to report your compliance status.

Application Security Assessments

,

Web applications play a key role in today’s business and connect organizations with its customers, partners and suppliers. For most organizations, web applications connect to most critical information assets within in the organizations. This makes web applications as the most attractive target for hackers and statistics shows that weak web applications are responsible for a majority of reported security breaches.

ValueMentor’s Application Security Assessment Service is focused on providing you the information required so that you can ensure the security of your web applications and critical information.

Our security analysts assess your applications using the OWASP guidelines and goes beyond the OWASP Top 10 vulnerabilities in our testing. A key deliverable of our service is the actionable report which not only represents the current state of your application but also the recommendations on fixing the security issues identified.

Our web application assessments are designed to review all types of web server, ranging from WordPress sites through to online banking environments or even control systems for critical national infrastructure.It helps to improve data and network security by assessing your application vulnerability.

All of our testing is inline with OWASP recommendations and our security consultants ensure your web applications meet and exceed the Open Web Application Security Project’s (OWASP) Top Ten recommendations for web application security.

Our approach to application security assessment is based on identifying any vulnerabilities which could affect its ability to protect the information owned and operated by it and recommend the improvement opportunities to ensure the confidentiality, integrity and availability of the information assets.

The risks discovered are classified as High, Medium or Low based on two parameters: impact of the risk, complexity of the attack required to carry out the exploit.Each of the above two parameters are rated on a scale of Low to High, and the final risk rating is derived from these ratings.

Web application vulnerabilities are exploited to penetrate in a controlled non‐destructive method. Our testing process includes activities such as Password attacks, Application level DoS attacks, Application client tests such as browser vulnerabilities and application impact as well as OWASP top 10 vulnerabilities.

Our tests and assessment criteria check for an exhaustive set of security vulnerabilities and threats.We make use of penetration testing tools like IBM Security AppScan,Accunetix Vulnerability Scanner,Nessus etc depending on the objectives of the security assessment.

During our high-level testing process, we utilize the automated vulnerability scanners to detect and verify the known vulnerabilities.The results of the vulnerability scanning are manually verified to ensure that all false positives are eliminated.

Accuracy of test result is a salient feature of our offering. Our findings and recommendations are more accurate than just automated tools as our testing is done by security experts, who validate every finding that goes into the report. Executive and technical summary with detailed technical findings and remedial actions are delivered to the client at the end of testing process.

Network Penetration Testing

,

Penetration Testing is an access control testing technique to enhance your organization’s information security program. Penetration Testing or PenTest is the process of testing your computer systems to find vulnerabilities, which could be exploited by an attacker.

Penetration Testing Services

At ValueMentor, we provide a comprehensive security testing and IT security assessments for your organization. A security assessment discovers critical issues that are a threat to your organization, how well your resources and information are protected and helps in reducing the risk of a data breach.

Penetration testing framework

ValueMentor has developed, tried and tested our VAPT framework, which is based on the industry standards and compliance requirements such as OSSTMM, OWASP, PCI DSS, NIST etc. Our documented penetration testing methodology ensures that you receive quality and repeatable results, and minimizes the risk to your systems under test.

Our security team uses a number of VAPT tools to simulate the hackers on the internet. This includes in-house developed scripts, open source security testing tools and various commercial penetration testing tools. Keeping up to date with the security vulnerabilities is a requirement to have an effective penetration testing business. Our penetration testing methodology includes the process for identifying newly discovered exploitable vulnerabilities as well as exploitation tools.

Penetration testing results

Our team of security experts identifies vulnerabilities that cannot be identified using conventional testing methods and offers you guidance in how to protect your critical infrastructure, harden web applications, protect sensitive data, and spread security awareness throughout your organization.

We produce a comprehensive report covering the approach taken, the techniques applied, and the vulnerabilities identified and make procedural and strategic recommendations to ensure that your systems are secure against future attack.

Can a hacker break into your network? Contact us to check it

NESA-Compliance-Process

NESA Compliance Services in UAE

,

About NESA Compliance

NESA Compliance provides a framework for achieving effective cyber security. NESA UAE, National Electronic Security Authority, is setup to improve the national cyber security efforts across UAE. NESA operates under the Supreme Council for National Security. Being a federal authority responsible for improving the cyber security, increasing awareness and collective cyber security risk management of UAE.

NESA had released a number of documents (NESA Guidelines and Standards) to help organizations improve their cyber security. NESA compliance is mandatory for all government entities in UAE and those entities identified as critical information infrastructure by NESA.

NESA Standards

NESA UAE involves compliance to cyber security requirements based on the UAE National Cyber Security Strategy (NCSS), developed and governed by NESA, which defines the protection requirements of UAE Cyberspace. The primary standard to follow for NESA compliance is UAE Information Assurance Standards (UAE IAS). Additionally, the NESA National Cyber Risk Management Framework defines the NESA Risk Assessment process.

Our approach towards NESA Compliance

ValueMentor approaches NESA Compliance in a phased manner.

NESA-Compliance-Process

NESA IAS is a set of 188 controls which includes 35 mandatory controls. The mandatory controls are considered as “Always Applicable” as they form the founding capabilities of cyber security management in an organization. Rest of the controls from the UAE IAS (153 security controls) are to be implemented based on the applicability derived based on the risk assessment results.

Mobile Application Security & Risk Analysis

,

Mobile applications are increasing in numbers every day. Today more mobile phones / tablets accesses web applications than PCs. Increase in mobile applications means, application vulnerabilities and thus security incidents.

Many mobile applications we have assessed recently indicate the need for continuous security assessment of mobile applications. Mobile Application vulnerabilities often lead to customer privacy violations and/or data lose. Considering this, it is important to perform a holistic security review as part of your mobile application deployment strategy.

ValueMentor Consulting offers a detailed security analysis of your mobile application as part of our Mobile application security assessment service. Our testing methods use both automated testing as well as manual testing. Our “automated tests” detects many of the common vulnerabilities of your mobile application. However, manual testing by our security experts uncovers much more issues than the automated tests.

Our Mobile Application Security methodology is based on the OWASP Mobile Security project and performs tests both client application as well as the server side.

Virtual CISO Services

,

Businesses, small or big, are facing increased pressure to secure their working environment from hackers, data loss and protect their online reputation. Coupled with ever increasing Compliance and Regulatory requirements (like PCI, HIPAA, partner contracts, or customer demands) is another challenge faced by the organizations. Many regulatory and compliance requirements affecting storage and use of data directly penalize the executive management if processes, systems and security measures are not in line with the compliance requirements. This brings the need for a security expert with experience and knowledge in managing the security, privacy and compliance requirements. This is not the job of an IT Manager but a specialist Security professional. The Virtual CISO (vCISO) service from ValueMentor is a subscription based security management offering geared towards helping smaller to mid-sized companies that would prefer to partner with a specialist information security firm to perform some or all CISO functions.

Why you need it?

Small to mid-sized organization are required to adhere to a wide range of legal, regulatory and contractual security requirements; however, for a number of reasons (such as high costs, limited availability of qualified resources) they find it difficult to keep it up. Most of these organizations have staff who can manage technology products, but remain challenged when it comes to addressing their long-term or strategic security needs. Hiring a full-time staff at an executive level can be very expensive matter. Chances are you don’t really need a full-time resource though; all you really need is a trusted advisor who can provide security leadership and guidance ‘on demand’, and help out with the ‘heavy lifting’ when necessary.

How it works?

The ValueMentor vCISO subscription service provides you with a virtual security advisor who can answer your questions and help you guide your security efforts in a way that makes sense. As part of annual subscription, you purchase a number of hours every month that can be used for your security requirements. Whether you need a lot of help, or just a little, you will have a highly qualified security professional available for you on a retainer basis as a member of your team, but without the cost of a full-time staff. Your appointed vCISO is able to engage with you whenever you need help and assistance. Even when they are not actively working on your business they are phone call or email message away. With this onsite and offsite model, you will get the best possible service with the least cost. As and when the vCISO is engaged in your business related work (onsite or offsite), the amount of time used to support your requests is deducted from your pool. You get a monthly statement of work performed by the security advisor in protecting your organizations information assets.

RBI IS Audits

,

The IS Audit is an integral component of a discerning bank’s pursuit of robust IT security and actionable oversight. Solid corporate governance requires that banks regularly undergo these audits of their IT security and infrastructure. By using our customized tools, expert resources, and proven methodologies, we tailor our IT audit services to your specific needs. Our experienced professionals bring a deep understanding of Internal Information System Audits, Application Control, and Security Services, as well as Pre- and Post-Implementation Reviews of your IT infrastructure.

Information System Audits (commonly known as IS Audits) helps managements to understand the risks associated with the Information System function within an organization. With the widespread adoption of technology by the Banks, technology related risks to the banking environment have increased. This change demands the need for developing Internal Control Frameworks that addresses the IT controls.

ValueMentor offers the IS audit service specifically addressing the RBI requirements towards Information System (IS) Audits. To ensure compliance with the RBI IS Audit guidelines, our process incorporates the scoping guidelines from Reserve Bank of India. According to the Reserve Bank of India (RBI) Guidelines, an IS Audit should cover the following scope:

  • Determining effectiveness of planning and oversight of IT activities
  • Evaluating adequacy of operating processes and internal controls
  • Determining adequacy of enterprise-wide compliance efforts, related to IT policies and internal control procedures
  • Identifying areas with deficient internal controls, recommend corrective action to address deficiencies and follow-up, to ensure that the management effectively implements the required actions

ValueMentor Consulting, in compliance with the RBI guidelines, offers wide range of services to the Banking industry including the IS Audits. Our auditors hold certifications such as CISA and CISSP as required as per RBI Guidelines.

Our audit results in providing an independent report to the management about the assurance status with regard to the integrity and effectiveness of systems and controls. Our auditors ensure the “Independence” required and practices “Due Professional Care” needed for a successful audit.

Our IT assurance professionals have many years of IT control and audit experience which is complemented by professional accreditations, such as

  • Certified Information Systems Auditor (CISA),
  • Certified Information System Security Professional (CISSP)
  • Certified in Risk & Information System Controls (CRISC), and
  • Certified Information Security Manager (CISM) and

affiliations, including membership in the Information Systems Auditing and Control Association (ISACA).

IT Act 2008 Consultancy

,

Information security in India is not just a business requirement, but a legal requirement in India. Compliance with Indian IT Act ensures that your organizations IT Infrastructure, systems and process are in line with the IT Act 2008 requirements.

According to the IT Act 2008, the executive responsible for IT (CEO/CRO/CIO/CFO) in an organization in India is responsible for any Cyber Security incident originating from the organization. Not implementing “Reasonable Security Practices” can lead this senior executive staff to even jail, not to mention the financial liabilities.

Why comply with IT Act 2008

  • IT Act 2008 focuses on the cyber security
  • Head of the organization is directly responsible for ensuring the legal compliance with the IT Act, just like any other legal requirements in India (Section 85, IT Act 2000)
  • Companies are required to ensure “Reasonable Security Practices” are implemented and “Due Diligence” is performed
  • Information Security is not only a business requirement, but also a legal requirement

How ValueMentor Consulting can help you comply with IT Act 2008

  • Perform GAP analysis of IT Act compliance
  • Develop required policies and procedures
  • Implement standards such as ISO 27001 to ensure reasonable security practices are achieved
  • Run your Information Security Program & IT Act compliance without having to employ a full time staff
  • Perform periodic security assessments and IT Audits

Security Device Management

,

Have you updated your security device configurations to address new threats?

Security devices such as Firewall, IPS, IDS etc are just as good as its configuration. To ensure effective cyber security, these devices shall undergo full maintenance, updates, rule changes and tuning so that it can combat the upcoming challenges and threats.

Our security device management service ensures that the clients are able to optimize their current technology investment by achieving optimum usage.

ValueMentor experts will help you in provisioning, updating and configuring the devices such as Firealls, IDS/IPS, VPNs, UTMs, WAFs, DAMs, SIEMs and endpoint security devices. Managing security devices requires specialized skillset and constant attention, we ensure that the security engineers we deploy are experienced and certified. This helps our team to optimize your security devices to achieve higher performance.