Checklist - All Articles - CISO Platform2024-03-29T10:28:02Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/ChecklistChecklist For Selecting Firewall Vendorhttps://www.cisoplatform.com/profiles/blogs/checklist-for-selecting-firewall-vendor2014-03-10T13:00:00.000Z2014-03-10T13:00:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p><span class="font-size-4">How should CISO define the requirement for solutions related to the Firewall domain?</span></p>
<ul>
<li> To ascertain total throughput required. The requirement be finalized keeping in view the current traffic as well as expected increase in volumes over at least next 3-5 years.</li>
<li> To ascertain what is the throughput required for individual interface.</li>
<li> How many interfaces are required in the firewall.</li>
<li> Do we require additional modules (IPS, anti spoofing etc). If yes then what are those.</li>
<li> Any technological constraint or specific requirement</li>
</ul>
<p>( Read more: <a href="http://www.cisoplatform.com/profiles/blogs/requirement-for-solutions-related-to-database-security">Database Security Vendor Evaluation Guide</a> )</p>
<p></p>
<p><span class="font-size-4">What are the key parameters based on which CISO would choose a vendor for the same?</span></p>
<ul>
<li>Vendor should have prior experience in supply,installation and maintenance of information security devices. The projects should have been of comparable size. Number of successful deployments should be considered.</li>
<li>Vendor should be authorized partners of the OEM of the equipment to be supplied.</li>
<li>Previous record of supply and maintenance/ business dealings should be unblemished and of having successfully supplied and deployed information security equipment</li>
<li>Should have qualified staff on roles for support for supplied equipment. These staff should hold the certifications on the product from the OEM.</li>
<li>Licensing and free requirements are crystallized on various factors like throughputs, components, applications, sites etc.</li>
</ul>
<p>( Read more: <a href="http://www.cisoplatform.com/profiles/blogs/top-technologies-solutions-available-for-the-single-sign-on">Technology/Solution Guide for Single Sign-On</a> )</p>
<p></p>
<p></p>
<p><span class="font-size-4">Top Questions to ask vendor for evaluating the offering/Vendor Evaluation Checklist</span></p>
<ul>
<li>Proposed solution should not be nearing end of life / end of sale / end of support currently. Residual life to be at least 5 years</li>
<li>Life road map of system should ensure that the solution is covered under support for period of at least 5 years from date of purchase / installation by OEM</li>
<li>What is the support structure of vendor and how will the support be provided (on-site, off-site, remote, session logs and audit)</li>
<li>How the updates / patches be made available (online and regular updates are preferable / fixed frequency)</li>
<li>What is the SLA (with specific reference to Uptime Assurance, Turn Around Time)</li>
<li>What is the level of engagement with OEM for the supply (It should be supply and support)</li>
<li>Responsibilities of the OEM towards the purchaser (for supply, installation and maintenance)</li>
<li>What if the front ending of the existing vendor ends abruptly, whether OEM provides an alternative and of what quality/ assurance.</li>
</ul>
<p>( Watch more : <a href="http://www.cisoplatform.com/video/attacks-on-smart-tv-and-connected-smart-devices">Attacks on Smart TV and Connected Smart Devices</a> )</p>
<p></p>
<p><span class="font-size-4">Top mistakes to avoid while selecting a vendor?</span></p>
<ul>
<li>Solution should not be nearing its end of life / end of support</li>
<li>There should be no ambiguity regarding the terms and conditions of services</li>
<li>Tenure of engagement of services of the vendor should be amply clear and accepted in writing by both the parties</li>
<li>Verification of the documents submitted by vendors should be done from original source or alternate source before selection</li>
<li>Price discovery should be done where ever possible.</li>
</ul>
<p><em>-Sunil Soni, CISO, Asstt. General Manager, Punjab National Bank tells CISO Platform about Selecting Firewall Vendors</em></p>
<p></p>
<p>( More: <a href="http://www.cisoplatform.com/profiles/blog/new">Want to share your insights?</a> <a href="http://www.cisoplatform.com/profiles/blog/new">Click here to write an article at CISO Platform</a> )</p>
<p></p></div>Firewall Checklist - Top 10 Things Your Next Firewall Must Do!https://www.cisoplatform.com/profiles/blogs/firewall-checklist-the-top-10-things-your-next-firewall-must-do2014-05-08T12:00:00.000Z2014-05-08T12:00:00.000ZCISO Platformhttps://www.cisoplatform.com/members/CISOPlatform<div><p><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">The <strong>next-generation firewall</strong> is well defined by Gartner as something new and enterprise-focused <strong>“incorporating full-stack inspection to support intrusion prevention, application-level inspection and granular policy control”</strong> .</span></p>
<p><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">Most network security vendors are now offering application visibility and control by either adding application signatures to their IPS engine, or offering you an add-on license for an application control module. In either case, these options are additive to a port-based firewall, and do little to help you focus on the fundamental tasks your firewall is designed to execute.</span></p>
<p><span style="color:#333333;"><span style="font-family:arial, helvetica, sans-serif;" class="font-size-3">( </span><span style="font-size:13px;"><span style="font-family:arial, helvetica, sans-serif;" class="font-size-3">Read more</span>: </span></span> <span style="font-family:arial, helvetica, sans-serif;" class="font-size-3"><strong><a href="http://www.cisoplatform.com/profiles/blogs/5-application-security-trends-you-don-t-want-to-miss">Top 5 Application Security Technology Trends</a> </strong>)</span></p>
<p></p>
<p><strong><span class="font-size-4">>><a href="http://www.cisoplatform.com/page/paloalto-firewall-checklist-10-things-your-next-firewall-must-do" target="_blank">Click here for Complete Checklist & Detailed Report</a></span></strong></p>
<p></p>
<p><span style="color:#3366ff;font-family:arial, helvetica, sans-serif;" class="font-size-4"><strong>Next-Generation Firewall Requirements:</strong></span></p>
<ul>
<li><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">Identify applications regardless of port, protocol,evasive tactic or decryption.</span></li>
<li><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">Identify users regardless of device or IP address.</span></li>
<li><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">Decrypt outbound SSL.</span></li>
<li><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">Protect in real-time against known and unknown threats embedded across applications.</span></li>
<li><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">Deliver predictable, multi-gigabit inline deployment.</span></li>
</ul>
<p></p>
<p><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">Firewall selection criteria will typically fall into three areas: security functions, operations, and performance.The security functional elements correspond to the efficacy of the security controls, and the ability for your team to manage the risk associated with the applications traversing your network. From an operations perspective, the big question is, “where does application policy live, and how hard or complex is it for your team to manage?”</span></p>
<p><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">The performance difference is simple: can the firewall do what it’s supposed to do at the required throughput </span><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">your business needs? </span></p>
<p><span style="font-family:arial, helvetica, sans-serif;" class="font-size-3">( Read more:</span><span class="font-size-3"><span style="font-family:arial, helvetica, sans-serif;color:#333333;"><span style="font-size:13px;"> </span></span> <strong><a href="http://www.cisoplatform.com/profiles/blogs/how-should-a-ciso-choose-the-right-anti-malware-technology">How Should a CISO choose the right Anti-Malware Technology?</a></strong> <span style="font-family:arial, helvetica, sans-serif;color:#333333;"><span style="font-size:13px;">)<br /> <br /></span></span></span></p>
<p><span style="font-family:arial, helvetica, sans-serif;" class="font-size-4">>><a href="http://www.cisoplatform.com/page/paloalto-firewall-checklist-10-things-your-next-firewall-must-do" target="_blank">Click here for Complete Checklist & Detailed Report</a></span></p>
<p></p>
<p><span style="color:#3366ff;font-family:arial, helvetica, sans-serif;" class="font-size-4"><strong>The Top 10 Things Your Next Firewall Must Do are:</strong></span></p>
<ul>
<li><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">Identify and control applications on any port</span></li>
<li><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">Identify and control circumventors</span></li>
<li><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">Decrypt outbound SSL and control SSH</span></li>
<li><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">Provide application function control</span></li>
<li><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">Systematically manage unknown traffic</span></li>
<li><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">Scan for viruses and malware in all applications, on all ports</span></li>
<li><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">Enable the same application visibility and control for all users and devices</span></li>
<li><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">Make network security simpler, not more complex, with the addition of application control</span></li>
<li><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">Deliver the same throughput and performance with application control fully activated</span></li>
<li><span style="font-family:arial, helvetica, sans-serif;color:#333333;" class="font-size-3">Support the exact same firewall functions in both a hardware and virtualized form factor</span></li>
</ul>
<p></p>
<p><span style="font-family:arial, helvetica, sans-serif;" class="font-size-4">>><a href="http://www.cisoplatform.com/page/paloalto-firewall-checklist-10-things-your-next-firewall-must-do" target="_blank">Click here for Complete Checklist & Detailed Report</a></span></p>
<p></p>
<p><em><span style="font-family:arial, helvetica, sans-serif;" class="font-size-3">What does 'NextGen Firewall' mean to you? Are there more features that should be added to the checklist? Share your views in the comments below<br /> <br /></span></em></p></div>Checklist for PCI DSS Implementation & Certificationhttps://www.cisoplatform.com/profiles/blogs/checklist-pci-dss-implementation-certification2014-06-24T14:30:00.000Z2014-06-24T14:30:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p>PCI DSS – Stringent but Exhilarating to Implement (Project PCI DSS Implementation & Certification)</p>
<p>PCI DSS stand for Payment Card Industry Data Security Standard is a robust, comprehensive, technology driven, transparent, explicit standard to enhanced security controls around payment card and related account data by ensuring the safe handling of card holder information at every step thereby reduce payment card frauds via its exposures.</p>
<p>PCI certification is a capability mandated for an organization that store, process, view, transmit critical card holder information and the organization should comply with all applicable requirements specified by PCI standard based on business, scoping and risk assessment outcome without any deviation that is what make this standard more reliable and effective.</p>
<p>The standard has 6 control objectives, 12 requirements and 204 sub requirements against which validation of compliance is performed annually based on scope applicability by QSA and compliance status is issued which includes – Attestation of Compliance (AOC), Report of Compliance (ROC) supported by Certification of Compliance (COC) by QSA.</p>
<p>The key mantra to achieve the compliance (report) without any hindrance is hidden in effective business understanding, scoping, risk assessment, pre assessment (assess) which in turn help to plan the activities seamlessly by aligning requirements with suitable technologies and processes (remediate), is applicable for new implementation as well as project under maintenance. </p>
<p>In spite of having stringent requirements, I found this standard is COOL for implementation and maintenance due to clear directions which in turn boost the security effortlessly by ensuring the actual security at all level (physical security, environmental security, personnel security, fraud control mechanism, IT & data security, data privacy, managed & monitored business environment) thereby leading to compliance. </p>
<p> </p>
<p><span>(Read more: </span><b><a href="http://www.cisoplatform.com/profiles/blogs/top-5-big-data-vulnerability-classes">Top 5 Big Data Vulnerability Classes</a>)</b></p>
<p></p>
<p><em><span class="font-size-4"><strong>Key to Success</strong></span></em></p>
<ol>
<li>Clear business understanding and proper scoping</li>
<li>Dipstick risk assessment & stringent pre assessment followed by immediate effective remediation</li>
<li>Effective alignment of technologies, processes with requirements</li>
<li>Proper scoping of IT assets considering primary, secondary processing site including data center sites, if you have separate one</li>
<li>Monitored and requirement based privileges access</li>
<li>Treat it as yearly program with do or die concept without pushing the activities for next year for improvement</li>
<li>Identifying and engaging proper QSA, ASV & other service providers with the capability to address your queries and needs in time</li>
<li>Controlled and monitored environment</li>
<li>Effective record maintenance including agreements and AMC’s</li>
<li>Build the sustenance capability</li>
</ol>
<p> </p>
<p><span class="font-size-4"><em><strong>Key Learning: Dos and Don’ts</strong></em></span></p>
<p><strong>Dos</strong></p>
<ol>
<li>Do have an annual time bound program based on assess, remediate, report concept with proper governance lead by a senior empowered manager with adequate domain expertise including sound technical, managerial, strategic, analytical, negotiating and influencing skills</li>
<li>Do build the capability among major stake holding team for implementation and sustenance by providing adequate role based training which majorly include – Risk, Security, IT, HR, Facility, Audit and End-users</li>
<li>Do appoint a knowledge QSA or conduct self-assessment using applicable version of SAQ</li>
<li>Do treat pre assessment and VA PT outcome with serious note and remediate ASAP</li>
<li>Do ensure in time achievement of all milestones without any fail</li>
<li>Do aim on achieving security while implementing or remediating, you will automatically land in to compliance</li>
<li>Do ensure proper scope coverage considering the end to end requirements related to governance, business operations, statutory & regulatory requirements, security & compliance operations, IT security & operation, data security & privacy, personnel security & fraud controls, physical & environmental security.</li>
<li>Do consider current technology, process and practices in place and fix the gap if any to achieve the compliance with ease in cost effective fashion</li>
</ol>
<p> </p>
<p><strong>Don’ts</strong></p>
<ol>
<li>Do not mistake this as project or simple technical implementation, this is a collaborative program</li>
<li>Do not aim to achieve compliance by compromising security, it may leads to major pain</li>
<li>Do not do the self-assessment unless you have clear understanding of requirements</li>
<li>Do not opt for long time frame for implementation / remediation, it may leads towards more non compliance</li>
<li>Do not go for risk acceptance supported by compensatory controls except truly unavoidable business need</li>
<li>Do not keep the VA PT actionable open considering that you a quarter time frame. Remediate the outcome of following ASAP - 4 quarter internal VA, wireless VA & rogue detection, ASV and annual Internal & External PT.</li>
<li>Do not do a risk assessment for the sake of compliance</li>
<li>Do not adopt a new technology or practice unless required </li>
</ol>
<p></p>
<p><em><em>-With Lopa Mudra Basu, SLK Global on the Dos And Don'ts Of PCI DSS <a href="http://ctt.ec/k67bK" target="_blank">ClickToTweet</a></em></em></p>
<p><em>Are there other aspects or Dos and Don'ts you consider for PCI DSS ? Share your views with us in the comments below.<br /> <br /></em></p>
<p>(Read more: <b><a href="http://www.cisoplatform.com/profiles/blogs/cyber-safety-in-cars-and-medical-devices">Cyber Safety in Cars and Medical Devices</a>)</b></p></div>Vendor Security Assessment Checklist to Evaluate IT Project Vendorshttps://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-it-project-vendors2014-06-24T14:30:00.000Z2014-06-24T14:30:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p><a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-it-project-vendors" target="_blank"><img src="http://i62.tinypic.com/30l06ra.jpg" class="align-left" alt="30l06ra.jpg" /></a>For many organizations the success or failure of IT initiatives is predicated on the selection of the appropriate technology vendor. Despite the critical nature of this process, many organizations underestimate the time and effort it takes to make a well-informed decision. This article is my personal experience & learning while doing complete IT projects in Pay Point India is meant to serve as a guide to help you understand and think through the critical steps in the vendor selection process.</p>
<div><p>As you read this, please keep in mind that as an organization goes through the vendor selection process it is not uncommon for other business processes or organizational needs to be revealed. It is important to remember that technology projects are often not just about the technology, but rather the health and effectiveness of the entire organization. This learning experience focuses on the process of selecting a vendor, and assumes that other important organizational change management issues are being addressed in concert to support this process.</p>
<p>( Read more: <b><a href="http://www.cisoplatform.com/profiles/blogs/technology-implementation-status-in-various-top-verticals-india">Security Technology Implementation Report- Annual CISO Survey</a> </b>)</p>
<p> </p>
<p><strong>Seven Step Model</strong></p>
<ul>
<li>ASSESS FEASIBILITY - Is this viable for my organization?</li>
<li>GATHER REQUIREMENTS - What does my organization need?</li>
<li>RESEARCH & REFINE OPTIONS - What solutions/vendors might fit my needs?</li>
<li>EVALUATE VENDORS - What is the best fit for my organization’s needs?</li>
<li>SELECT & ENGAGE VENDOR - Is this a reasonable price and contract?</li>
<li>MANAGE IMPLEMENTATION - Has the vendor delivered on its promises?</li>
<li>SUPPORT & MAINTENANCE - How will we maintain the solution and support it?</li>
</ul>
<p> </p>
<p><strong>STEP 1: ASSESSING FEASIBILITY</strong></p>
<p><strong>Organizational Readiness</strong> - Consider important elements to project success such as getting buy-in from staff and overcoming technology fears and resistance to change.</p>
<p><strong>Budgeting</strong> - Ensure that you have the appropriate budget level to successfully execute on the project. Make sure that your budget can withstand reasonable variances from original estimates. Technology projects have varying degrees of financial risk based on the complexity of the project. At a minimum, your project budget should be able to withstand a 15% variance.</p>
<p><strong>Staff Availability</strong> - Most technology projects require a significant investment of time by your organization’s staff. Your staff will be involved in many stages of the process, such as requirements gathering, training, testing, and disruptions during deployment. You will also need to designate a project advocate from your staff to manage the vendor relationship and internal resources associated with the project. Before embarking on any large technology project, ensure that your organization can free up time from the appropriate staff members to make this project successful.</p>
<p><strong>Sustainability</strong> - Ensure that you have the proper resources in place to sustain the technology at the conclusion of the project. This could include budgeting for ongoing support, hiring a technology manager, or giving ownership of maintenance to a staff member.</p>
<p><strong>Return on Investment (ROI)</strong> - Is the project worth the investment? Will it allow you to serve your constituents better or serve more of them? Will it improve your operations and/or lower costs?</p>
<p><strong>Arriving at a Decision</strong> - After careful review of the aforementioned factors, you are now ready to make a decision. Most organizations will have a clear “go” or “no-go” decision. If the limiting factor is budget or staff availability you may decide to opt for a “go-later” decision.</p>
<p>OUTCOME: “GO”, “NO GO”, “GO LATER” DECISION</p>
<p></p>
<p><strong>STEP 2: GATHER REQUIREMENTS</strong></p>
<p><strong>Review Business Strategy</strong> - Identify the business goals you hope to accomplish with this technology project.</p>
<p><strong>Ensure Alignment</strong> - Make sure that the application of technology will be an enabling factor and will not create a disruptive influence on the organization.</p>
<p><strong>Process Mapping</strong> - Document critical business processes that your organization performs. This understanding will be critical for a vendor to understand how its solution should be implemented at your organization.</p>
<p><strong>Process Re-engineering</strong> - Technology implementation often provides an opportunity to change the way certain business tasks are managed at your organization. Consider this element and make a determination if it would be valu-able to include.</p>
<p><strong>Requirements Analysis</strong> - Identify critical requirements (such as number of users, current technologies in use, need for remote access, training, etc.) that you will need as a part of your technology solution.</p>
<p><strong>Prioritization of requirements</strong> - Prioritize your list of requirements and determine which ones are essential and which ones are “nice to have” but not required for success.</p>
<p><strong>Environmental assessment</strong> - If your project involves environmental or physical location factors, make sure a thorough assessment is conducted and that all findings are well documented. </p>
<p><strong>Technical assessment</strong> - Document your current technology and catalog all areas that may interface with your new solution.</p>
<p>OUTCOME: REQUIREMENTS DOCUMENT/REQUEST FOR PROPOSAL</p>
<p>( Read more: <b><a href="http://www.cisoplatform.com/profiles/blogs/5-application-security-trends-you-don-t-want-to-miss">Top 5 Application Security Technology Trends</a> </b>)</p>
<p></p>
<p><strong>STEP 3: RESEARCH & REFINE OPTIONS</strong></p>
<p><strong>Buy/Blend/Build</strong> - Most technology solutions can be categorized into one of three areas: Buy an off-the-shelf solution, Build a custom solution, or Blend a solution by combining an off-the-shelf product with some customization.</p>
<p><strong>Establish Evaluation Criteria</strong> - Develop a set of criteria on which you would like to evaluate your prospective vendors. Appendix A has an example of some common criteria used in evaluations.</p>
<p><strong>Conduct Research</strong> - Use the resources at your disposal to learn more about existing products or solutions that could meet your needs. Discuss your project objectives with related organizations, trusted advisors, and technology consultants.</p>
<p><strong>Define Targeted List</strong> - Based on your requirements and your research into solutions, create a short list of vendors who may be able to meet your requirements. The size of your short list of vendors should correlate to variability in proposed solutions and project complexity. For instance, for a small defined project a short list of 3 vendors may be appropriate. For large complex projects with many different approaches, you may consider a list as large as 8 vendors. Make sure that you keep your short list of vendors to a manageable scale.</p>
<p><strong>Send RFP</strong> - Send the vendors your requirements information and ask them to submit a proposal. Typically requirements are sent in the form of a Request for Proposal (RFP) document.</p>
<p>OUTCOME: TARGETED LIST OF VENDORS/SOLUTIONS TO PURSUE</p>
<p> </p>
<p><strong>STEP 4: EVALUATE VENDORS</strong></p>
<p><strong>Evaluation Matrix</strong> - Develop an evaluation matrix (see Appendix B) to help you objectively evaluate each vendor’s proposal and product demonstration.</p>
<p><strong>Proposals</strong> - Each invited vendor should respond to your RFP with a written proposal. Carefully evaluate each proposal and encode the proposal information into your evaluation matrix.</p>
<p><strong>Product Demonstrations</strong> - Many vendors will request an in-person or web-based opportunity (a “demo”) to show-case the capabilities of your solution. Demos are a valuable way to get more information and also evaluate intangible aspects of a vendor.</p>
<p><strong>Reference Checks</strong> - Don’t forget to check the vendor’s references as a part of your evaluation process. Consider site visits if you are making a large investment.</p>
<p>OUTCOMES: VENDOR PROPOSALS, VENDOR DEMOS, WEIGHTED VENDOR MATRIX</p>
<p></p>
<p><strong>STEP 5: SELECT & ENGAGE VENDOR</strong></p>
<p><strong>Primary and Secondary Options</strong> - At the conclusion of your evaluation process, you will need to identify a primary option (your winner) and some secondary alternatives.</p>
<p><strong>Negotiations</strong> - Do not burn the bridges with secondary option vendors as they will serve as a valuable resource in the negotiation process. While you are in the negotiation process, keep in mind your secondary options as they serve as your best alternative if your negotiation falls through. Make sure that the final deal you strike with your preferred vendor is at least as favorable as your secondary options. </p>
<p><strong>Contracting</strong> - Identify a clear set of objectives, deliverables, timeframes, and budgets for your project with the vendor. Make sure these are clearly written in the terms of the contract.</p>
<p>OUTCOME: FINAL VENDOR SELECTED & CONTRACTED</p>
<p>( Watch more : <b><a href="http://www.cisoplatform.com/video/attacks-on-smart-tv-and-connected-smart-devices">Attacks on Smart TV and Connected Smart Devices</a> </b>)</p>
<p></p>
<p><strong>STEP 6: MANAGE IMPLEMENTATION</strong></p>
<p><strong>Dedicate Project Manager</strong> - Your organization should dedicate one or more staff to oversee the solution implementation .These staff should have regular checkpoints with the vendor to ensure that delivery matches expectations.</p>
<p><strong>Ensure Timely Delivery</strong> - Vendors often juggle many clients at once and as such it is important for your organization to keep track of deliverable dates and ensure that the vendor is meeting them. Be conscious of your deadlines and deliverables to your vendor so they can make their target delivery dates. Keep an eye out for contract terms that apply additional fees for late delivery of necessary project materials from you to the vendor.</p>
<p><strong>Ensure On-Budget Delivery</strong> - If your organization negotiates a Time & Materials (T&M) contract with vendor, then it will become imperative to track hours spent and budgeted hours remaining on a project. Without careful consideration of these elements, project costs could spiral out of control.</p>
<p><strong>Manage Scope</strong> - The greatest area of risk for most technology projects is in controlling project scope. Once an organization begins to see the possibility of technology, they often attempt to do too much in the initial development and launch of the solution. If this is the case, consider your project with the vendor a “Phase 1 deployment” and try to push back on new additions until a future phase. If a new addition is essential to a project, then you should clearly define it in an addendum to the scope of work and negotiate the price with the vendor.</p>
<p><strong>Manage Expectations</strong> - Manage the expectations of all parties involved in the implementation support. Be sure to provide realistic timeframes and advance warning of any variances in budgets and timeframes.</p>
<p>OUTCOME: ON TIME & ON BUDGET DELIVERY OF EXPECTED SOLUTION</p>
<p> </p>
<p><strong>STEP 7: SUPPORT & MAINTENANCE</strong></p>
<p><strong>Resources:</strong> Ensure that the appropriate resources are dedicated to support the technology on an ongoing basis. Your support and maintenance plan could include some or all of the following:</p>
<ul>
<li>Support Hours/Contract</li>
<li>Hiring of tech resources to manage it</li>
<li>Assignment of staff member to take ownership</li>
<li>Patches & Maintenance</li>
<li>Ongoing Training</li>
</ul>
<p><br /> <strong>Upgrades:</strong> If the technology solution becomes mission critical, plan an upgrade path for it. Technology tends to change dramatically every 3 years and should never be considered a one-time investment.</p>
<p>OUTCOME: STABLE & EFFICIENT TECHNOLOGY SOLUTION THAT EMPOWERS THE ORGANIZATION</p>
<p> </p>
<p><strong>CONSIDER EXTERNAL FACTORS</strong></p>
<p>The framework proposed in this paper assumes that your organization is operating in a completely neutral framework and has great latitude in making a decision. Our experience of working through this process with many clients indicates that this is often not the case. Most vendor selection efforts are often influenced by external factors such as foundation recommendations, group purchasing decisions, or donations/discounts discovered through board contacts. Consider these external factors in your assessment phase. The presence of these external factors does not mean that you should forgo the vendor selection process; however, it can mean considering your options in a different light.</p>
<p>These external factors can sometimes lead to significant benefits such as discounts with vendors, financial support, leveraging existing research on vendors, implementation experience, and technical support. The equation you should take into consideration is whether the cumulative benefits outweigh the costs of potentially selecting a less optimal vendor.</p>
<p>Is your organization being asked to use a vendor that really doesn't match your needs? If such a case does <br /> arise, the vendor evaluation matrix can become a huge asset for your organization. Conduct the evaluation <br /> using the externally recommended vendor as a baseline and see where your options fall. You can then present the evaluation matrix to your funders or board members to make an argument for or against a specific <br /> course of action.</p>
<p>( Read more: <a href="http://www.cisoplatform.com/profiles/blogs/how-to-build-your-personal-brand"><b>5 easy ways to build your personal brand</b> !</a> )</p>
<p></p>
<p><strong>APPENDIX A: DIMENSIONS OF EVALUATION FOR VENDORS</strong></p>
<p>The following list contains typical dimensions along which vendors can be evaluated. While comprehensive, the list is not exhaustive and you should consider adding your own dimensions to the evaluation criteria.</p>
</div>
<p></p>
<div><p><strong>FEATURES</strong></p>
<p>■ Essential Features</p>
<p>■ Cool to Have Features</p>
<p>■ (Add Requirements Criteria)</p>
<p> </p>
<p><strong>VENDOR STABILITY</strong></p>
<p>■ Vendor Size</p>
<p>■ Vendor Financials</p>
<p>■ Years in Business</p>
<p>■ Number of Clients</p>
<p>■ Size of Tech Team</p>
<p>■ References</p>
<p>■ Future Direction - Roadmap</p>
<p> </p>
<p><strong>TECHNOLOGY ELEMENTS</strong></p>
<p>■ Usability/Ease of Use</p>
<p>■ User Interface/Visuals</p>
<p>■ Flexibility</p>
<p>■ Extensible? Customizable?</p>
<p>■ Compatibility</p>
<p>■ Security</p>
<p>■ Backups</p>
<p>■ Virus Protection</p>
<p> </p>
<p><strong>GENERAL IMPRESSIONS</strong></p>
<p>■ Positives</p>
<p>■ Risks</p>
<p>■ Friendliness</p>
<p>■ Responsiveness</p>
<p>■ Experience/Skill Level</p>
<p>■ Actual Project Team</p>
<p> </p>
<p><strong>PRODUCT STABILITY</strong></p>
<p>■ Performance Levels</p>
<p>■ Uptime Percentage</p>
<p>■ Last Downtime</p>
<p>■ Duration of Downtime</p>
<p>■ Load/Capacity</p>
<br clear="all" /><p><strong>TIMEFRAME FOR DEPLOYMENT</strong></p>
<p>■ Phase 1</p>
<p>■ Phase 2</p>
<p>■ Additional phases (if any)</p>
<p>■ Project Completion</p>
<p>■ Training</p>
<p> </p>
<p><strong>COSTS</strong></p>
<p>■ One-Time (Setup, Configuration, Development)</p>
<p>■ Ongoing (Maintenance, Licensing)</p>
<p>■ Add-Ons</p>
<p>■ Hardware/Software</p>
<p>■ Training</p>
<p>■ Support</p>
<p>■ Data Migration</p>
<p>■ Fixed or Variable</p>
<p>■ TCO = Total Cost of Ownership</p>
<p> </p>
<p><strong>TRAINING & SUPPORT</strong></p>
<p>■ Support Availability</p>
<p>■ Support Coverage Hours</p>
<p>■ Support Response Time</p>
<p>■ Training Plan</p>
<p>■ Online Help Resources</p>
<p>■ Availability of Support Talent</p>
<p>■ Documentation</p>
<p> </p>
<p><strong>OTHER CONSIDERATIONS</strong></p>
<p>■ Hosted Externally/ASP</p>
<p>■ Additional Equipment</p>
<p>■ Platform Considerations</p>
<p>■ Locked In to Vendor Solution?</p>
<p>■ Implementation Plan</p>
<p>■ Data Migration</p>
<p> </p>
<p><strong>SECURITY & BACKUPS</strong></p>
<p>■ Backup Policies</p>
<p>■ Recovery Procedures</p>
<p>■ Virus Protection</p>
<p>■ Data Security</p>
<p>■ Application Security</p>
<p>■ Hardware Security</p>
</div>
<p>( Watch more : <b><a href="http://www.cisoplatform.com/video/south-asia-a-cyber-security-landscape-after-the-snowden">South Asia's Cyber Security Landscape after the Snowden Revelations</a> </b>)</p>
<p></p>
<p><strong>APPENDIX B: CREATING A WEIGHTED VENDOR EVALUATION MATRIX</strong></p>
<p>It is important to keep yourself objective when going through the vendor evaluation process. It is easy to get swayed by an impressive product demonstration or an eloquent sales representative. In order to avoid falling into this trap, we often use a weighted matrix to rank vendors. Below is an example of how to structure your own vendor evaluation matrix.</p>
<p> </p>
<p><strong>SAMPLE WEIGHTED MATRIX :</strong> (for 3 Vendor evaluation )</p>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-it-project-vendors" target="_blank"><img src="http://i57.tinypic.com/29fcaad.jpg" class="align-full" alt="29fcaad.jpg" /></a></p>
<p> </p>
<p>A spreadsheet program is a great tool for plotting your evaluation matrix. When developing the matrix, you will need to make decisions regarding the following:</p>
<p> </p>
<ul>
<li>How important is each of the dimensions to your organization? For instance, if support hours are critical, you may <br /> assign it 10 points instead of 4.</li>
</ul>
<p> </p>
<ul>
<li>How do the scores relate to each other? For instance, if you are evaluating three vendors it is usually good to score <br /> using a 3 point scale or a multiple of a 3 point scale. The vendor who performs best in this category would get a 3 and the worst performer would get a 1. If two vendors are equal on a given dimension, then give them the same score. If the dimension is a very important one, you may make it worth 12 points with the top vendor getting 12, the second getting 8, and the last one getting 4.</li>
</ul>
<p> </p>
<ul>
<li>What is a substantive difference in scores? If you are evaluating on a 100 point scale and you get a final list of three <br /> vendors all within a score range of 51 to 59, then there may not be a substantive difference between them. Take a deeper look at the relative strengths and weaknesses of each vendor before making a final decision.</li>
</ul>
<p> </p>
<p>Do not add any elements to your weighted scores that are worth more than 25% of the total points on the matrix. These dimensions should be looked at side by side with the weighted scores. The two most common elements we normally do not include in our weighting are PRICE and TIMEFRAME. Including elements such as these in the matrix would really skew the results, so it works better to consider them independently.</p>
<p> </p>
<p>YOUR END RESULT should be something like the following:</p>
<p> <a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-it-project-vendors" target="_blank"><img src="http://i57.tinypic.com/2vx3cy1.jpg" alt="2vx3cy1.jpg" /></a></p>
<p></p>
<p><em>- With Sachin Lokhande, Pay Point India Network Ltd on How To Evaluate A Vendor in IT Projects <a href="http://ctt.ec/guLUH" target="_blank">ClickToTweet</a></em></p>
<p><em>Which above steps will be the most helpful for your organizations ? Share your thoughts with us below in the comments or <a href="http://www.cisoplatform.com/profiles/blog/new" target="_blank">Write your article here</a><br /> <br /></em></p></div>Checklist to Evaluate A Cloud Based WAF Vendorhttps://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-a-web-application-firewall2014-07-03T19:30:00.000Z2014-07-03T19:30:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p align="center" style="text-align:left;"><a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-a-web-application-firewall" target="_blank"></a>These days’ web applications are under siege. Commercially motivated Hackers, bots, and fraudsters are attacking around the clock, attempting to steal data, disrupt access, and commit fraud which today’s next generation firewall, IPS and other network security product are unable to safeguard. So in order to prevent breaches and downtime against web attacks, DDoS, site scraping and fraud we have introduced cost effective, in the cloud, Security as a Service (SaaS) based Web Application Firewall Service. The Solution is deployed in a reverse proxy mode so one just needs to route web traffic through Application Firewall which will mitigate web attacks & threats in real time and send out clean traffic back to web server.</p>
<p>( Read more: <strong><a href="http://www.cisoplatform.com/profiles/blogs/captivating-new-insights-into-hbb-tvs">Can your SMART TV get hacked?</a></strong> )</p>
<p></p>
<p><em><span class="font-size-4">Check-list for Vendor Evaluation:</span></em></p>
<p><strong>1. Deployment Architecture & Mode of Operation</strong></p>
<ul>
<li>Active/Inline, Passive, Bridge, Router, Reverse Proxy etc.</li>
<li>How the SSL traffic is processed & offloading done, whether it terminates SSL connections, passively decrypts traffic etc.</li>
<li>What Authentication method used to validate users/customers</li>
<li>High Availability, Redundancy & Scalability</li>
<li>Protect Multiple Website Behind Single IP</li>
</ul>
<p> </p>
<p><strong>2. Connection Handling & Traffic Processing</strong></p>
<ul>
<li>How the traffic is blocked – Drop Packet, TCP Reset etc.</li>
<li>HTTP versions, Encoding & File transfer Support</li>
<li>Any other protocol support</li>
<li>Response Filtering</li>
</ul>
<p> </p>
<p><strong>3. Detection Technique</strong></p>
<ul>
<li>Normalization technique used</li>
<li>Negative Security Models</li>
<li>Positive Security Models</li>
<li>Minimal False Positives</li>
<li>Signature/Rule Database</li>
<li>How frequently Database is updated</li>
<li>Is APIs available to customize or extend vendor’s detection functionality</li>
<li>Virtual Patching</li>
<li>Fraud Detection</li>
<li>Business Logic Attacks</li>
</ul>
<p>( Read more: <strong><a href="http://www.cisoplatform.com/profiles/blogs/technology-implementation-status-in-various-top-verticals-india">Security Technology Implementation Report- Annual CISO Survey</a></strong> )<b><br /></b></p>
<p></p>
<p><strong>4. Protection Technique</strong></p>
<ul>
<li>Brute Force Attacks</li>
<li>Cookie based Attacks</li>
<li>Session or Denial of Service Attacks</li>
<li>Hidden Form field Protection</li>
<li>Cryptographic URL & Parameter Protection</li>
<li>Reputation-Based Service</li>
<li>External Intelligence Feed, threat landscape etc.</li>
<li>Protection against Application DDoS</li>
<li>Protection against OWASP Top 10</li>
</ul>
<p> </p>
<p><strong>5. Logging</strong></p>
<ul>
<li>Which commonly used logs are supported</li>
<li>Log Forwarding to Syslog or SIEM</li>
<li>Unique transaction IDs are included with every log message</li>
<li>Log Export facility</li>
<li>Event logs and notification via Email, SMS, Syslog support, SNMP Trap etc.</li>
<li>Log Retention</li>
<li>Sanitization or Masking Critical Data from the logs</li>
</ul>
<p> </p>
<p><strong>6. Reporting</strong></p>
<ul>
<li>Reporting Format Supported</li>
<li>On Demand report generation, automation & scheduling</li>
<li>Report Customization</li>
<li>Report distribution methods available</li>
<li>Customized Block Page Display Message</li>
<li>Compliance Reports</li>
</ul>
<p> </p>
<p><strong>7. Management</strong></p>
<ul>
<li>GUI – Web Based</li>
<li>Multi-Tenancy, RBAC & Secure Administration</li>
<li>Centralized Dashboard, Alerts & Reporting</li>
<li>Support of External APIs</li>
<li>Integration with existing infrastructure</li>
<li>Integration with Vulnerability Scanner, SIEM, DLP etc.</li>
<li>Configuration Management & Backup</li>
<li>Automatic signature update and Install</li>
<li>Profile Learning</li>
<li>Policy Management, Export/Import, Roll back mechanism,</li>
<li>WAF Security</li>
</ul>
<p> </p>
<p><strong>8. Performance</strong></p>
<ul>
<li>HTTP level performance</li>
<li>HTTP level performance with SSL enabled</li>
<li>Maximum number of concurrent connections</li>
<li>Performance under Load</li>
<li>Fail-Safe & Pass through when device fails</li>
</ul>
<p>( Read more: <strong><a href="http://www.cisoplatform.com/profiles/blogs/sneak-peek-into-the-future">Hardware Trojans: Sneak Peek into the Future</a></strong> )</p>
<p></p>
<p><strong>9. Support</strong></p>
<ul>
<li>24*7*365 Support Available</li>
<li>Quality of technical support</li>
<li>Support presence in local City, Country etc.</li>
<li>Direct Support or Partner</li>
<li>SLA, TAT, Escalation Matrix etc.</li>
</ul>
<p> </p>
<p><strong>10. Cost</strong></p>
<ul>
<li>Initial cost</li>
<li>Setup & Implementation Cost</li>
<li>Recurring subscription costs</li>
<li>Patch Update & Upgrade Cost</li>
<li>Any other hidden cost</li>
</ul>
<p> </p>
<p><strong>11. Vendor Reputation</strong></p>
<ul>
<li>Market share, Turnover, Profitability</li>
<li>Any certification like ICSA Labs etc.</li>
<li>Enable PCI 6.6 compliance requirement</li>
<li>Listed by any IT research company like Gartner, Forrester, IDC etc.</li>
<li>Customer Base</li>
<li>Any customer implementation similar to your line of business</li>
</ul>
<p> </p>
<p><em><em>-With Yadavendra Awasthi, Netmagic Solutions Pvt. Ltd., on How To Evaluate a WAF(Web Application Firewall) Vendor <a href="http://ctt.ec/O02fm" target="_blank">ClickToTweet</a></em></em></p>
<p><em>What are your quick tips to evaluate WAF vendors? Share with us in the comments below or write your own article <strong><a href="http://www.cisoplatform.com/profiles/blog/new" target="_blank">here</a></strong> </em><em><br /></em></p></div>Checklist: Skillset required for an Incident Management Personhttps://www.cisoplatform.com/profiles/blogs/checklist-skillset-required-for-an-incident-management-person2015-06-26T11:30:00.000Z2015-06-26T11:30:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p><span class="font-size-5"><strong>Technical Skills:</strong></span></p>
<p></p>
<p><span class="font-size-5"><strong>Major Areas Of Focus:</strong></span></p>
<ul>
<li>Incident Response</li>
<li>Computer Forensics</li>
<li>Network Security</li>
<li>Secure Architecture</li>
</ul>
<p><span>( <span id="docs-internal-guid-7e7ed265-388e-6366-f4ef-582ef45b2677"><span>Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/ciso-platform-top-it-security-influencers"><span>CISO Platform Top IT Security Influencers (Part 1)</span></a></span></span><b> )</b></p>
<p></p>
<p></p>
<p><span class="font-size-5"><strong>Conceptual (Understand How-It-Works):</strong></span></p>
<ul>
<li><strong>Fundamental security concepts</strong>- CIA Triad(Confidentiality,Integrity,Availability),Authentication vs Authorization vs Access control, Non-Repudiation etc.</li>
<li><strong>Working Principles & Protocols of Internet</strong>- TCP/IP, IPV4, IPV6 etc.</li>
<li><strong>Security Domains</strong>- MDM, IDS/IPS, Database, DLP etc.</li>
<li><strong>Transport Layer</strong>- SMTP, MIME etc.</li>
<li><strong>Social Engineering tactics</strong></li>
</ul>
<ul>
<li>**<strong>Network security</strong> (Protocols, Configurations, Infrastructure, Vulnerabilities)- MIM, Spoofing, Firewall, Routers, Public Data networks etc.</li>
<li>**<strong>Coding Practices</strong>- Secure coding, Malicious code, Buffer Overflows,Cross-site scripting etc.</li>
<li>** <strong>Coding Languages</strong>- C, Java, Perl, Shell, Awk etc.</li>
<li>**<strong>Encryption (Processes & Algorithms)</strong>- Digital Signature & Certificate, Hash Algorithms & Encrypted Hash, AES, DH Key Exchange, PGP, DES & Triple DES, Blowfish, Twofish, Serpent</li>
</ul>
<p>** - Preferably expertise level understanding and HandsOn in these areas, however basics must be tested first.</p>
<p></p>
<p></p>
<p><strong><span class="font-size-5"><strong>Expertise & handsOn:</strong></span></strong></p>
<ul>
<li><strong>Internet protocols</strong> - DNS, TLS, IPSEC, HTTP, TCP, UDP etc.</li>
<li><strong>OS</strong> - Windows,UNIX/Linux etc.</li>
<li><strong>File system</strong> - Zfs, NTFS, FAT etc.</li>
<li><strong>Encryption</strong> - PGP, symmetric/asymmetric, ECB/CBC operations, AES etc.</li>
<li><strong>DLP</strong> - network vs endpoint DLP, Vontu, Websense, Verdasys etc.</li>
<li><strong>eDiscovery & Digital Forensics Concepts/Technologies</strong> - Encase, FTK etc.</li>
<li><strong>Threat or Risk Modelling</strong> - STRIDE, DREAD, FAIR etc.</li>
<li><strong>Pentesting Fundamentals</strong></li>
<li><strong>Technical expertise</strong> - Windows, Linux, Solaris, AIX, OS400, Apple, Databases, Routers/Firewalls</li>
</ul>
<p></p>
<p></p>
<p></p>
<p><span class="font-size-5"><strong>Computer Forensics:</strong></span></p>
<ul>
<li><strong>Process</strong>- Data Extraction, Data Imaging, Data Preservation & Data Handling<br /> - Methodology for proper copy of storage devices that can be used as evidence<br /> - Tools like FTK, AccessData</li>
<li><strong>Popular tools</strong>- FTK, Access Data,Caine,EnCase etc.</li>
<li><strong>Techniques</strong>- Cross Drive Analysis(CDA), File Carving or Carving, Live Analysis, Steganalysis or Steganography Tools, Volatile Data Analysis</li>
</ul>
<p></p>
<p><span>( <span id="docs-internal-guid-7e7ed265-388e-c639-4f64-16d96865e352"><span>Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/preview-security-technology-adoption-in-enterprise-annualreport"><span>Pre-launch Preview: State of Security Technology Adoption in Enterprises - Annual Report 2015</span></a></span></span><b> )</b></p>
<p></p>
<p><span class="font-size-5"><strong>Added Certification</strong></span></p>
<ul>
<li>CISSP</li>
<li>ENCE(Encase Certified Examiner),</li>
<li>CCE, GCFE(GIAC Certified Forensic Examiner ),</li>
<li>GCFA(GIAC Certified Forensic Analyst),</li>
<li>GREM(GIAC Reverse Engineering Malware),</li>
<li>GCIA(GIAC Certified Intrusion Analyst),</li>
<li>GCIH(GIAC Certified Incident Handler),</li>
<li>CHFI, QSA, EnCE,</li>
<li>CCE(Certified Computer Examiner),</li>
<li>ACE(AccessData Certified Examiner),</li>
<li>CISM</li>
</ul>
<p></p>
<p></p>
<p><span class="font-size-5"><strong>Personal Skills:</strong></span></p>
<ol>
<li>Good Management abilities</li>
<li>Stress Handling Capability</li>
<li>Impromptu action taker</li>
<li>Good Reasoning abilities</li>
<li>Process defining abilities</li>
<li>Good Communication skills</li>
<li>Team worker </li>
</ol>
<p></p>
<p></p>
<p><span class="font-size-5"><strong>Notes</strong></span></p>
<p><strong>1. Test scenarios.</strong>Hand over test scenarios to the recruit, the process of resolving the problem will demonstrate - logical thinking, spontaneity, knowledge, forensic basics. This can be also done in idle teams as an exercise.</p>
<p><strong>2.</strong> <strong>Learner.</strong>Since information security changes every day, the personnel should be open to learning and eager to demonstrate them. Educational courses made can also be useful for other members outside CIRT.</p>
<p><strong>3. Think of hiring a hacker.</strong> Big companies are hiring hackers full-time to hack their systems, this enables faster resolving the easiest hackable points, moreover the hacker thinks like a hacker!</p>
<p><strong>4. Domain experts</strong> of certain fields can be a good choice like- applications, network, mail and database.</p>
<p><strong>5. Consider outsourcing</strong> this effort to a consultancy which results in lower costs as you don't need a team waiting for incidents to take place, rather treat only when affected. However, this must be preceded by references and study.</p>
<p><strong>6. A Legal Advisor</strong> can be of umpteen help, in assisting of gathering information, recommendations and remediation when an incident/breech takes places</p>
<p></p>
<p><span>(Read more: </span><b><a href="http://www.cisoplatform.com/profiles/blogs/brief-on-denial-of-service-dos">CISO Guide for Denial-of-Service (DoS) Security</a>)</b></p>
<p></p>
<p><strong><span class="font-size-5">Reference:</span></strong></p>
<p><a href="https://en.wikipedia.org/wiki/Computer_forensics">https://en.wikipedia.org/wiki/Computer_forensics</a></p>
<p><a href="https://en.wikipedia.org/wiki/Information_security">https://en.wikipedia.org/wiki/Information_security</a></p>
<p><a href="http://ptgmedia.pearsoncmg.com/images/1578702569/samplechapter/1578702569.pdf">http://ptgmedia.pearsoncmg.com/images/1578702569/samplechapter/1578702569.pdf</a></p>
<p><a href="https://msisac.cisecurity.org/resources/guides/documents/Incident-Response-Guide.pdf">https://msisac.cisecurity.org/resources/guides/documents/Incident-Response-Guide.pdf</a></p>
<p><a href="http://www.cert.org/incident-management/csirt-development/csirt-staffing.cfm">http://www.cert.org/incident-management/csirt-development/csirt-staffing.cfm</a></p>
<p><a href="http://www.bankinfosecurity.in/incident-response-5-critical-skills-a-4214/op-1">http://www.bankinfosecurity.in/incident-response-5-critical-skills-a-4214/op-1</a></p>
<p><a href="http://www.cisoplatform.com/page/state-of-salary-of-it-security-professionals-in-india-2015"><img src="{{#staticFileLink}}8669801067,original{{/staticFileLink}}" class="align-full" alt="8669801067?profile=original" /></a></p></div>Checklist To Assess The Effectiveness Of Your Vulnerability Management Programhttps://www.cisoplatform.com/profiles/blogs/checklist-to-assess-effectiveness-of-vulnerability-management2016-02-20T09:00:00.000Z2016-02-20T09:00:00.000Z23j0c848tmyvuhttps://www.cisoplatform.com/members/23j0c848tmyvu<div><p>From our experience of helping organizations in building their ‘Vulnerability Management’ program, we feel that one of the major challenge the security manager/management faces does not always know the reality on the grounds. Obviously the management is extremely busy and has got too many priorities. It is natural to get into managing whirlwinds. So, I wanted to define a few questions which can help you to find out how robust is your application security management program? Not just that, by asking the questions you will also be able to formulate your vulnerability management strategy better.</p><p>( <span id="docs-internal-guid-7e7ed265-3726-9311-9054-3851d7f21e97"><span>Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/top-6-reasons-why-datalossprevention-implementation-fails"><span>Top 6 Reasons Why Data Loss Prevention (DLP) Implementation Fails</span></a></span> )</p><p><i> </i></p><h3><b>Vulnerability Management Program – Key Questions to assess the maturity of your application:</b></h3><h3><b>Goal Setting, Measurement, Team</b></h3><ol><li>Do you have clearly defined and measurable application security program goals which can be understood across your team?</li><li>Do you have a set of measures to assess if the application security program has failed or succeeded? (Lead Measures)</li><li>Do you have a set of measures that can predict whether your program goals will be met in future? (Lag Measures)</li><li>Does your team have a weekly/real time dashboard to know how well they are performing without being reviewed by their manager?</li><li>Do you know the team’s capacity of testing? Is there a gap between the need and the capacity? Are you measuring the output vs capacity?</li><li>Do you have a single owner for managing the Application Security Program?</li></ol><p></p><p><b style="font-size:1.17em;">Knowing your Key Metrics</b></p><ol><li>Do you know how many applications you have, their owners and business criticality?</li><li>Do you know how many critical vulnerabilities are open i.e yet to fixed?</li><li>Do you know the average fixing time?</li><li>Do you know the cost per test? (all inclusive i.e. Salary, hardware, software, Management cost)</li><li>Do you have enough people to test and remediate?</li></ol><p>( <span id="docs-internal-guid-7e7ed265-3726-d0a0-46cc-a708a2635364"><span>Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/questions-to-ask-your-application-security-testing-provider"><span>8 Questions To Ask Your Application Security Testing Provider!</span></a></span> )</p><p></p><h3><b>Quality</b></h3><ol><li>Have you tested for business logic flaws? What’s the “False Negative Rate”?</li><li>Are similar vulnerabilities being repeated again and again?</li><li>Did you build an integrated application security program? i.e Vulnerability Management, Fixing, Training, SIEM, WAF etc are integrated in a seamless manner.</li></ol><p></p><p><span id="docs-internal-guid-99e3c9ef-3727-0056-d337-59d076371277" class="font-size-4">More: <a href="http://www.cisoplatform.com/page/ciso-platform-infosec-community-contribution">Want to be a infosec community contributor? Click here</a></span></p><p></p><p></p><p></p><p><i> </i></p></div>OSINT (Open Source Intelligence) : Application, Tools, Process & morehttps://www.cisoplatform.com/profiles/blogs/osint-open-source-intel-tools-process2018-04-09T15:00:00.000Z2018-04-09T15:00:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p><span style="font-size:24pt;"><strong>Why Is OSINT So Important ?</strong></span></p>
<p>OSINT (Open-Source Intelligence) is intelligence collected from publicly available sources.</p>
<p>It is becoming a key resource for collecting threat intelligence even in enterprise space. A factor being that now we live in a very connected world, so the amount of data and analysis is becoming more key and relevant. A good example here would be the Stuxnet attack. </p>
<p>Open Source Movement was also a reason for the push for OSINT usage.</p>
<p>OSINT can find great use in the fields and sectors like Goverment, Defence, Banking, Finance, Telecom, Critical Infrastructure, Cyber Security Advisory Firms, Cyber Threat Intelligence Teams, Law, Cyber Forensic Teams.</p>
<p></p>
<p></p>
<p><span style="font-size:24pt;"><strong>Typical OSINT Process</strong></span></p>
<p>It will include (in order)</p>
<ul>
<li>Source Identification</li>
<li>Data Harvesting</li>
<li>Data Processing & Integration</li>
<li>Data Analysis</li>
<li>Results Delivery</li>
</ul>
<p>This process could be time based leading to offensive or defensive OSINT. Studying before the attack makes it defensive and post attack would be offensive.</p>
<p></p>
<p></p>
<p><span style="font-size:24pt;"><strong>OSINT Workshops at SACON</strong></span></p>
<p>SACON (Security Architecture Conference) 2018 has OSINT workshops by industry experts. Pre-Registrations Open for best discounts.</p>
<p><span style="font-size:14pt;"><strong><a href="https://www.sacon.io/preregister/?utm_source=organic&utm_medium=blog&utm_campaign=sacon2018" target="_blank">>> Pre-Register for SACON 2018</a></strong></span></p>
<p></p>
<p></p>
<p><span style="font-size:24pt;"><strong>OSINT Tool Examples</strong></span></p>
<p>Palantir, I2 - Commercial products.</p>
<p>Maltego - free and commercial version. Free has some limitations</p>
<p>NodeXL - completely free. An extension to excel. Allows data mining, visualization, some machine learning & clustering capabilities</p>
<p>SpiderFoot - a combination of VA and OSINT that can be automated/scheduled to run from time to time. It automatically queries over 100 public data sources (OSINT) to gather intelligence on IP addresses, domain names, e-mail addresses, names etc.</p>
<p>ShodanHQ - google like search engine for all devices connected to the internet. Initially called Google Hacking Database. It focuses on identifying and connecting to anything reachable via a public IP.</p>
<p>Some other tools could be namely - FOCA, Tapir, Creepy, theHarvester, Metagoofil</p>
<p></p>
<p></p>
<p><span style="font-size:24pt;"><strong>OSINT Workshops at SACON</strong></span></p>
<p>SACON (Security Architecture Conference) 2018 has OSINT workshops by industry experts. Pre-Registrations Open for best discounts.</p>
<p><span style="font-size:14pt;"><a href="https://www.sacon.io/preregister/?utm_source=organic&utm_medium=blog&utm_campaign=sacon2018" target="_blank">>> Pre-Register for SACON 2018</a></span></p>
<p></p>
<p><a href="https://www.sacon.io/preregister/?utm_source=organic&utm_medium=blog&utm_campaign=sacon2018" target="_blank"><img src="https://s17.postimg.org/78gtg6bj3/CTA_Pre_Reg.png?width=750" width="750" class="align-full" alt="CTA_Pre_Reg.png?width=750" /></a></p>
<p></p>
<p></p>
<p></p>
<p><span style="font-size:18pt;"><strong>Reference :</strong></span></p>
<p>Pointers were derived from a talk at Annual Summit 2015 <a href="http://www.cisoplatform.com/profiles/blogs/session-on-practical-demo-of-collecting-threat-intel-using-osint-" target="_blank">here</a> and Offensive OSINT Talk from Black hat <a href="https://www.slideshare.net/Laramies/offensive-osint" target="_blank">here</a></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/session-on-practical-demo-of-collecting-threat-intel-using-osint-" target="_blank"></a></p>
<p></p></div>[Panel Discussion]Third Party Risk Management: Checklists, Frameworks & Toolshttps://www.cisoplatform.com/profiles/blogs/panel-discussion-third-party-risk-management-checklists2020-04-01T06:30:00.000Z2020-04-01T06:30:00.000ZCISO Platformhttps://www.cisoplatform.com/members/CISOPlatform323<div><p>At CISO Platform Annual Summit 2020, we had a panel discussion on the topic of <strong>Third Party Risk Management: Checklists, Frameworks & Tools</strong>, including industry stalwart like Sunil Varkey [HSBC] (Moderator), N D Kundu [<span>Bank of Baroda</span>], Jitendra Chauhan [FireCompass], SURYANARAYANAN.K [<span>CENTRAL BANK OF INDIA</span>], Parag Kulkarni [<span>Bajaj Finance Ltd</span>]</p>
<br />
<br />
<br />
<p></p>
<p><span>Here is the video of what was discussed during the Panel Discussion </span></p>
<p><iframe src="https://www.facebook.com/plugins/video.php?href=https%3A%2F%2Fwww.facebook.com%2FCisoplatform%2Fvideos%2F299762797666265%2F&show_text=0&width=560" width="560" height="315" frameborder="0" allowfullscreen=""></iframe>
</p></div>SIEM Tools: Implementation Guide and Vendor Evaluation Checklisthttps://www.cisoplatform.com/profiles/blogs/siem-tools-implementation-guide-and-vendor-evaluation-checklist2014-09-16T13:00:00.000Z2014-09-16T13:00:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p> </p>
<p><span class="font-size-4">Current Project Synopsis:</span></p>
<ul>
<li>Responsible for Information Security of next generation mobile and fixed broadband networks (LTE/WiFi/FTTx) with All-IP networks over a cloud based framework for B2C/B2B markets connecting 200 Million 4G LTE, 50 Million Wifi/FTTx subscribers in top 800 cities of India</li>
<li>Jio’s seamless 4G services using FDD-LTE on 1800 MHz and TDD-LTE on 2300 MHz through an integrated ecosystem, aims to provide unparalleled high quality access to innovative and empowering digital content, applications and services.</li>
</ul>
<p>According to Verizon 2013 data breach report, 84% of exploits & 69% of data exfiltration happens in less than an hour so it’s very critical to have situational awareness i.e. visibility into activities occurring around the enterprise. Proper deployment of next generation SIEM (Security Information & Event Management) tools helps to detect attacks sooner and as a result react more nimbly.</p>
<p>SIEM solutions provide enterprises with network security intelligence and real-time monitoring for network devices, systems, and applications. Using SIEM solutions, IT administrators can mitigate sophisticated cyber attacks, identify the root cause of security incidents, monitor user activity, thwart data breaches and most importantly, meet regulatory compliance requirements.</p>
<p>Most organization think that SIEM solutions have a steep learning curve and are expensive, complex and hard to deploy. Here are few SIEM deployment guidelines and factors you need to consider while evaluating an SIEM Tool. The right SIEM solution is one that can be easily deployed, is cost-effective and meets all your IT security needs with a single tool.</p>
<p>(Read more: <strong><a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-a-web-application-firewall">Checklist to Evaluate A Cloud Based WAF Vendor</a>)</strong></p>
<p><br /> <span class="font-size-4">SIEM Deployment Guidelines</span></p>
<p>1. Know what is important to security</p>
<ul>
<li>Security Events</li>
<li>Network Flows</li>
<li>Server & Application Logs</li>
<li>Database Activity</li>
<li>Application Contents</li>
</ul>
<p>2. Know what is important to compliance</p>
<ul>
<li>Identity Content</li>
<li>Classification of data</li>
<li>Access to data</li>
<li>Usage of data</li>
</ul>
<p> </p>
<p><br /> <span class="font-size-4">Checklist for SIEM Solution Evaluation</span></p>
<p>1. <strong>Log Collection</strong></p>
<ul>
<li>EPS (events per second) rate at which your IT infrastructure sends events should match with your SIEM tool</li>
<li>Should be able to collect logs from heterogeneous sources (Windows, Unix/Linux, Applications, Database, Network Devices ,Firewalls, IPS, IDS)</li>
<li>Capability of agent-less and agent based log collection method</li>
</ul>
<p>2. <strong>Real Time Event Correlations</strong></p>
<ul>
<li>Proactively dealing with threats based on log search, rules and alerts. Correlation boosts network security by processing millions of events simultaneously to detect anomalous events on the networks</li>
</ul>
<p>3. <strong>Log Retention</strong></p>
<ul>
<li>Capability to easily retrieve and analyze log data</li>
<li>Should automatically archive all log data from systems, devices and applications to a centralized repository.</li>
</ul>
<p>4.<strong> IT Compliance Reports</strong></p>
<ul>
<li>Out of box regulatory compliance of PCI DSS, ISO 27001, SOX, HIPAA etc</li>
</ul>
<p>5. <strong>User Activity Monitoring</strong></p>
<ul>
<li>Out of box user activity monitoring, privileged user monitoring, audit reporting, Know which user performed the action, what was the result of the action. Source & destination address of the systems /devices used.</li>
</ul>
<p>6. <strong>File Integrity Monitoring</strong></p>
<ul>
<li>Capability to monitor business critical files & folders. </li>
<li>Capture details of when files were created, accessed, viewed, deleted, modified, renamed etc.,</li>
</ul>
<p>7. <strong>Log Forensics</strong></p>
<ul>
<li>Capability to track down a intruder or event activity using log search capability</li>
</ul>
<p>8. <strong>Dashboards</strong></p>
<ul>
<li>Capability to take timely actions & right decisions during network / system anomalies</li>
</ul>
<p>9. <strong>Global Threat Intelligence Feeds</strong></p>
<ul>
<li>Capability to get latest global threat intelligence feeds & carrier grade threat intelligence so as to proactively manage threats. Collaboration among organizations to enhance security </li>
<li>Precise solutions for compromised systems and networks</li>
</ul>
<p>10. <strong>Big Data Analytics</strong></p>
<ul>
<li>Capability to forecast threats using big data, Accurate analysis of structured as well as unstructured data</li>
<li>Constant intelligence gathering to strengthen security</li>
</ul>
<p> </p>
<p>-<em>With Binu Chacko, Head of iSoc(Security Operations Center) & Digital Forensics, Reliance Jio Infocomm on 'SIEM Tools: Implementation Guide and Vendor Evaluation Checklist'</em></p>
<p>(Read more: <strong><a href="http://www.cisoplatform.com/profiles/blogs/checklist-pci-dss-implementation-certification">Checklist for PCI DSS Implementation & Certification</a>)</strong></p></div>Vulnerability Management System:How to Evaluate a Vendor?https://www.cisoplatform.com/profiles/blogs/vulnerability-management-system-how-to-evaluate-a-vendor2014-07-23T15:00:00.000Z2014-07-23T15:00:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p> </p>
<p>Vulnerability Management System was implemented as a practice within the Organization across the Global Business Unit (India, Middle East & Africa). The implementation included Vulnerability Assessment and Remediation. The assessment is made based on Severity Levels (Actual & Potential) obtained through vulnerability scanning of all devices connected to Internet, Intranet & Service Network. Evaluation of Weighted Intrusion Rate (WIR) through a formula gave values which are required to be kept below a pre-decided threshold value for each of these network. These values provided the vulnerability status for the region and thus also formed the KPI for this assessment. The project was covered over a period of three months after an elaborate testing and assessment. This implementation improved the efficiency of security team in terms of reduction in time, efforts and cost. Formation of a Vulnerability Monitoring Team made the practice more effective in terms of reduction in time taken for remediation of vulnerabilities.</p>
<p>(Read more: <strong><a href="http://www.cisoplatform.com/profiles/blogs/captivating-new-insights-into-hbb-tvs">Can your SMART TV get hacked?</a></strong>)</p>
<p> </p>
<p><span class="font-size-4"><em>Checklist for Vendor Evaluation:</em></span></p>
<p>It has been invariably experienced that no single vendor provides solutions for all components that can support a vulnerability management system. Therefore, it is necessary that prior deciding on a tool the capabilities and shortcomings are well understood. A sample checklist that can help during evaluation is as follows:</p>
<ul>
<li><strong>Asset Management:</strong> The capabilities and limitations of the technology to provide asset inventory database or extend the support for additional fields or ability to integrate with other asset management repositories</li>
<li><strong>Versatility:</strong> Ability of the technology to operate against series of Windows OS, diverse platforms, applications and devices</li>
<li><strong>Ability to Aggregate:</strong> The product must be inter-operable with other security technologies including Internet Security Systems E.g. IIS Scanner, MS MBSA, Nessus, Foundstone, Retina, BindView etc. In other words the product should be able to aggregate vulnerability data from multiple and dissimilar sources</li>
<li><strong>Vulnerability references:</strong> The technology should be able to identify source of information and comply with Common Vulnerabilities and Exposures (CVE)</li>
<li><strong>Ranking:</strong> The tool should be able to rank/ prioritize remediation efforts</li>
<li><strong>Enforcement of Policy:</strong> The product should be capable to designate the identified remediation at different enforcement levels i.e. from mandatory (needed) to forbidden (acceptable risk) through an interface which is centralized and policy-driven.</li>
<li><strong>Management of remediation groups:</strong> The tool should permit grouping of systems in order to manage remediation and control accesses to devices</li>
<li><strong>Remediation:</strong> The product should be able to tackle vulnerabilities induced by a system misconfiguration and vulnerabilities occurred due to inappropriate patches. E.g. Deploying changes to the OS or applications such as disabling/removing accounts (i.e. accounts with no password or no password expiration), disabling and removing unnecessary services etc, deploying patches on OS or applications, ability to harden services for NetBIOS, anonymous FTP, hosts.equiv etc</li>
<li><strong>Integration Capability:</strong> The ability of product to include or integrate existing patch management tools</li>
<li><strong>Maintain distributed patch repository:</strong> The product capability to load balance and distribute the bandwidth associated for patch distribution to repositories installed in various strategic locations</li>
<li><strong>Patch Installation Failure Info:</strong> The tool should be able to report if a patch installation has been unsuccessful/ needs re-installation</li>
<li><strong>System of Workflow:</strong> The product should be able to follow a workflow system that must assign and track issues. It should be able to assign tickets based on defined ruled sets (e.g. vulnerability, owner, asset classification etc) automatically. It should be able to interface with other products like Remedy, HP Service Desk etc, which are common corporate workflow products</li>
<li><strong>Usability:</strong> The tool should be able to participate actively in the network services with minimal or no impact to business operations with an instinctive user interface</li>
<li><strong>Report Generation:</strong> The tool should be able to generate reports determining remediation success rate and trending remediation efforts. The reports generated must be in detail and customizable</li>
<li><strong>Appliances:</strong> It must be known whether the tool is based on software or appliances. A software based solution is affordable and may be able to operate on existing hardware thus reducing the upfront capital expenditures while appliance based solution provide performance and reliability advantages</li>
<li><strong>Deployment of Agents:</strong> The application’s deployment of agents and its capability to leverage existing agents on the system. Capability of simultaneously deploy these agents on group of assets, to reduce deployment constraints.<br /> <br /> ( Read more: <strong><a href="http://www.cisoplatform.com/profiles/blogs/how-to-choose-your-security-penetration-testing-vendor">How to choose your Security / Penetration Testing Vendor?</a></strong> )</li>
<li><strong>Standard Configuration:</strong> Availability of a predefined security configuration template to assess the technology as in some cases defined templates support regulatory requirements like SOX, HIPAA, ISO/ IEC 27000 series.</li>
<li><strong>Vulnerability Research Team:</strong> The vendor must have own vulnerability research team and he should be an active participant within security community via identification and release of security vulnerabilities. The vendor must practice responsible disclosure. The vendor must release checks for vulnerabilities that he has discovered prior to OEM remediating it. Methodology adopted by vendor to respond on vulnerabilities of own products</li>
<li><strong>Frequency of vulnerability updates releases:</strong> Frequency of release of vulnerability updates by vendor and its distribution. The distribution mechanism must leverage industry recognized security communication protocols</li>
</ul>
<p> </p>
<p><em>- With Murli Menon,Atos on How To Evaluate Vulnerability Management System Vendors <a href="http://ctt.ec/K487S" target="_blank">ClickToTweet</a></em></p>
<p><em>Do share your views on vulnerability management tools in comments below. </em></p></div>Threat Assessment and Mitigation Checklisthttps://www.cisoplatform.com/profiles/blogs/threat-assessment-and-mitigation-checklist2014-01-01T18:30:00.000Z2014-01-01T18:30:00.000ZCISO Platformhttps://www.cisoplatform.com/members/CISOPlatform<div><p><a href="http://www.cisoplatform.com/profiles/blog" target="_blank"><img src="http://i39.tinypic.com/11hf62u.jpg" class="align-left" alt="11hf62u.jpg" /></a></p>
<p>The network security industry recommends that an organization periodically perform risk modeling,assessment, and risk management to anticipate and take pro-active measures against threats.</p>
<p>(Read more: <b><span style="color:#3366ff;"><a href="http://www.cisoplatform.com/profiles/blogs/5-application-security-trends-you-don-t-want-to-miss"><span style="color:#3366ff;">Top 5 Application Security Technology Trends</span></a></span> )</b></p>
<p></p>
<p>While this is a noble venture, a recent Internet search for “risk assessment” resulted in the return of over 38 million responses, with many of these risk-modeling processes including methods to calculate the cost of risk mitigation compared to the cost of recovery, in the<br /> event the risk occurs and various ways to determine the return on investment (ROI) within the risk assessment and mitigation process. Some of these solutions are so convoluted and abstract as to be almost unworkable.</p>
<p><strong><span style="color:#ff6600;">What is needed is a simple-to-operate risk modeling and assessment process and checklist.</span></strong></p>
<p> </p>
<p><span style="color:#0000ff;" class="font-size-6"><strong style="font-size:16pt;color:#0000ff;">>> <a href="http://www.cisoplatform.com/page/2012-trend-and-risk-report"><span style="color:#0000ff;">Download the Report & Checklist</span></a></strong></span></p>
<p>(<strong><span style="color:#3366ff;"><a href="http://www.cisoplatform.com/page/be-a-speaker"><span style="color:#3366ff;">Want to become a speaker and address the security community?</span></a> <a href="http://www.cisoplatform.com/page/be-a-speaker"><span style="color:#3366ff;">Click here</span></a></span></strong>)</p>
<p> </p>
<p> </p>
<p> </p>
<h2><strong>IBM COMPLIMENTARY SECURITY HEALTH SCAN!</strong></h2>
<p><a href="http://www-935.ibm.com/services/in/en/it-services/data-breach/index.html?cmp=in3al&ct=in3al54w&cr=techsites&%20cm=b&csot=wp&ccy=in&cpb=gts_&cd=2013-10-09&cs=context&csr=ciso_platform&cot=i&cpg=lits&co=on&S_TACT=IN3AL54W" target="_blank"><img src="http://i43.tinypic.com/2hcdzc5.gif" class="align-full" alt="2hcdzc5.gif" /></a></p></div>