Our Services
   AppsSec Testing
   Code Review
   Penetration Testing
   Wireless Lan
  Terms and concepts
Terms & Concepts
FAQ's - Compliance
What is a Certification body?
An accredited certification body is a third party organization that assesses/certifies the IS management system against the standard (BS7799-2 / ISO 27001).

Who are the Accredited Certification bodies for the standard?
There are a growing number of organizations accredited to grant certification against ISO27001. The following are amongst them: BSI, Certification Europe, DNV, JACO IS, KEMA, KPMG, SFS-Sertifiointi Oy, SGS, STQC, SAI Global Limited, UIMCert GmbH

How does this standard fit with ISO 9000?

ISO27001 is actually being "harmonized" with other management standards, including ISO 9000 and ISO 14000. Watch this space!

Who originally wrote the security standard?
Originally a BSI/DISC committee, which included representatives from a wide section of industry/commerce. It was reviewed subsequently by an ISO (International Standards Organization)committee and ultimately emerged through the ISO publication process.
What is BS 25999?
A publication which describes the activities and 'outcomes' of establishing a BCM process. It also provides a series of recommendations for good practice. Part 2 defines the requirements for a management systems approach to business continuity management.

So What Is It For?
To provide assistance to the person responsible for implementing BCM within an organization. It describes a framework and process for the Business Continuity Manager to use and offers a range of good practice recommendations.
The second part of the standard offers the basis for certification. It defines management systems requirements within a specification. These, however, can be used by internal or external bodies.

Who Produced It?
It was produced through the BSI. The sponsors of the original document, which was called PAS 56, were the BCI and Insight Consulting, although a number of other organizations were consulted during the development, including EDS, Sainsbury's and the Post Office.

Is It A Standard?
Yes, it is. PAS 56 was a 'Publically Available Specification', and was withdrawn upon publication of the formal British Standard BS 25999-1.
It is also important to understand that it does not purport to include all the necessary provisions of a contract.
I have been working to achieve BS15000 – is this wasted effort?
Because ISO20000 is so similar to BS15000, any preparation activities previously made for BS15000 will be equally valid for ISO20000. There are 16 changes to requirements in ISO20000, all of which are minor.

Isn't ITIL Best Practice?
Yes, it is; and in fact ISO20000 incorporates many ITIL processes as well as some additional processes, including 2 management system processes.
ITIL is best practice guidance but it is not possible to be accredited as a company against ITIL. The standard is a specification which provides the company level accreditation to demonstrate the consistent use of best practice.
ISO20000 does not mandate the use of ITIL. However, demonstrating best practice in IT Service Management to achieve ISO20000 certification is, of course, far easier if it is underpinned by the use of ITIL.

I Already Have ISO 9000 Certification So Why Do I Need ISO20000?
ISO9000 is a generally applicable quality management standard, which applies to many processes and is used by organisations in different sectors and industries. While it has many attributes and benefits that are valuable to your existing commercial relationship, it does not specifically assess your processes for IT Service Management best practice.
You should consider whether specific certification for the ITSM component of your business is important: if your organisation is within the IT service sector, then ISO20000 will provide differentiation from competitors and underpin Governance measures.
Your certification body will probably assess ISO9000 and ISO20000 together in order to be more efficient.
Why should my organization implement ISO 9000?

To keep customers - and to keep them satisfied - your product (which may, in fact, be a service) needs to meet their requirements. ISO 9000 provides a tried and tested framework for taking a systematic approach to managing your business processes (your organization's activities) so that they consistently turn out product conforming to the customer's expectations. And that means consistently happy customers!

Why does ISO 9001 use 'continual' improvement vs 'continuous' improvement?
This issue was debated very strongly during the development of the 9000:2000 standards.
From a pure quality philosophy, we would encourage organizations to seek continuous improvement. However, it was recognized that not all organizations are able to demonstrate an incessant set of improvement actions, whereas they are able to demonstrate discrete improvement actions.
For this reason continual was used in preference to continuous improvment.
What kind of organization can use ISO 14001?
ISO 14001 is intended for any kind of organization - business, school, hospital, non-profit, etc. - that wants to implement or improve its environmental management system. It applies equally well to both service and manufacturing organizations and to both non-profit organizations and for-profit businesses. ISO 14001 provides plenty of flexibility to do what's right for your own unique organization.

What is an Environmental Management System?
An environmental management system (EMS) is a structure of connected elements that define how an organization manages its environmental impacts. These elements include policies, organizational structure, procedures, goals and objectives, and defined processes. In order to be effective, all of these various elements must work together cohesively and be a part of the overall business management system. Most organizations already have some of these elements in place, but often they're not joined in a cohesive system.
Who has to comply?
The credit card companies have made it clear that ANY entity that stores, processes, or transmits cardholder data regardless of their transaction volumn, are required to comply with the PCI requirements. Failure to comply with the PCI security standard may result in substantial fines or permanent expulsion from card acceptance programs. Recent studies on financial fraud have indicated that hackers are increasingly targeting small, commercial Web sites, increasing the need for all merchants and service providers to become fully compliant with the Payment Card Industry (PCI) Data Security Standard (DSS).

All Acquiring Banks (merchant banks) are also required to have received certified proof of PCI compliance from merchants with more than 20,000 transactions per year. This does not mean that only merchants with more than 20,000 transactions per year are required to meet the PCI standard. Acquiring Banks are required to have documented proof of compliance form these merchants, or be liable to fines themselves. Many banks are already requiring all merchants, regardless of transaction volume, to produce this Certification of PCI Compliance.
What is the purpose of COBIT?
The purpose of COBIT is to provide management and business process owners with an information technology (IT) governance model that helps in delivering value from IT and understanding and managing the risks associated with IT. COBIT helps bridge the gaps amongst business requirements, control needs and technical issues. It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems.

Who is using COBIT?
COBIT is used globally by those who have the primary responsibilities for business processes and technology, those who depend on technology for relevant and reliable information, and those providing quality, reliability and control of information technology.

Has the COBIT framework been accepted by CIOs?
Yes, it has been accepted in many organizations globally, and new cases continue to be documented. However, it should not surprise anyone that in those entities where the CIO has embraced COBIT as a usable IT framework, this has come as a direct consequence of one or more COBIT champions within the audit and/or IT department(s). Even more important than acceptance by the CIO is acceptance by the board and executive management. Successful implementation of IT governance using COBIT depends greatly on the commitment of top management.
Anti Phishing

What to do?

If you receive an e-mail similar to this, do not respond and do not click on the link. By opening or viewing a preview of the email, or by clicking on the link within the email, your computer may have discretely downloaded a virus or spyware.

AppsSec Testing
Category - Threats /Attacks

Input Validation - Buffer overflow; cross-site scripting; SQL injection; canonicalization
Authentication - Network eavesdropping; brute force attacks; dictionary attacks; cookie replay; credential theft
Authorization - Elevation of privilege; disclosure of confidential data; data tampering; luring attacks
Configuration management - Unauthorized access to administration interfaces; unauthorized access to configuration stores; retrieval of clear text configuration data; lack of individual accountability; over-privileged process and service accounts
Sensitive data - Access sensitive data in storage; network eavesdropping; data tampering
Session management - Session hijacking; session replay; man in the middle
Cryptography - Poor key generation or key management; weak or custom encryption
Parameter manipulation - Query string manipulation; form field manipulation; cookie manipulation; HTTP header manipulation
Exception management - Information disclosure; denial of service
Auditing and logging - User denies performing an operation; attacker exploits an application without trace; attacker covers his or her tracks

T Audit
An information technology audit, or information systems audit, is an examination of the controls within an Information technology (IT) infrastructure. An IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations.

Network Audit
Are you ready for a network audit? The first step toward due diligence for major data-privacy is to conduct regular, internal audits.

Code Review
What do reviewers look for?
A review is focused on a patch's design, implementation, usefulness in fixing a stated problem, and fit within its module. A reviewer should be someone with domain expertise in the problem area. A reviewer may also utilize other areas of his or her expertise and comment on other possible improvements. There are no inherent limitations on what comments a reviewer might make about improving the code.
Penetration Testing

Black Box vs White Box

Penetration tests can be conducted in several ways. The most common difference is the amount of knowledge of the implementation details of the system being tested that are available to the testers. Black box testing assumes no prior knowledge of the infrastructure to be tested. The testers must first determine the location and extent of the systems before commencing their analysis. At the other end of the spectrum, white box testing provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, source code, and IP addressing information. There are also several variations in between, often known as gray box tests. Penetration tests may also be described as "full disclosure", "partial disclosure" or "blind" tests based on the amount of information provided to the testing party.

The relative merits of these approaches are debated. Black box testing simulates an attack from someone who is unfamiliar with the system. White box testing simulates what might happen during an "inside job" or after a "leak" of sensitive information, where the attacker has access to source code, network layouts, and possibly even some passwords.

The services offered by us span a similar range, from a simple scan of an organization's IP address space for open ports and identification banners to a full audit of source code for an application.
Wireless LAN
What is tested
  • Denial of Service attaks
  • Man in the middle attacks
  • ARP poisioning
  • War Driving
  • WEP cracking
All Rights Reserved© Hycom Solutions. Website Designed by innovative informatics