Cyber Security Assessment

[E23598]

---

Hi,

Mga boss! Gud am! Mangutana lang unta ko sa nuha kng naa mu mga kaila nga mga IT Firm nga pwed maka conduct ug assessment sa amoa Infra with scope below. Salamat kaau daan sa nuha mga inputs mga masters.!


1. Network and Security Architecture
a. Segregation of critical & non-critical assets
b. VLANs
c. DMZ's
d. Ingress/Egress points
e. Firewall
f. IPS/IDS
g. DDoS
h. Wi-Fi Security
i. Network Admission Control (NAC)
2. Web Security
a. Proxy
b. URL Filtering
c. Anti-Virus
3. Email Security
a. Anti-Virus
b. Anti-Spam
c. E-mail Policy for blocking suspicious file extensions/types
4. Application Security
a. Secure coding guidelines
b. Application Security Assessment (One sample application)
c. WAF
5. Secure Configuration
a. Hardening Standards (OS, Network, Middleware, Database, Products)
b. Build Secure Infrastructure
6. Patch Management
a. Patch Management Policy (including Testing & Deployment procedure)
b. Patching Cycle
7. Endpoint Security
a. End-Point Policy
b. EDR
c. HIPS
d. Client Firewall
8. Monitoring
a. Security Operations Center (SOC)
b. SIEM, Log Review
c. NADS
d. Anti-APT
e. Social Media
f. Threat Intelligence
g. Analytics, Dashboards & Reports
9. Assessments & Audits
a. Architecture Review
b. Threat Modelling
c. VA, PT
d. Process Audits

[M.A.D.]

You're out of luck. I can't find a firm that can do that kind of comprehensive risk assessment here in Cebu. For the rest of the Philippines, maybe.

Its hard to find a job position here in the Philippines with those kinds of skill sets, how much more a company or employer offering one.

You can try professional consultants, otherwise good luck again.

[E23598]

You're out of luck. I can't find a firm that can do that kind of comprehensive risk assessment here in Cebu. For the rest of the Philippines, maybe.

Its hard to find a job position here in the Philippines with those kinds of skill sets, how much more a company or employer offering one.

You can try professional consultants, otherwise good luck again.

Thank you for your input! I was able to find but most of them are from Luzon area. I was hoping i could be able to get one near my place so it would be easy to negotiate. I'll just have to wait for the proposals and evaluate as it's a strict mandate from those above. Again thank you for your inputs!

[AMD_infinium05]

Thank you for your input! I was able to find but most of them are from Luzon area. I was hoping i could be able to get one near my place so it would be easy to negotiate. I'll just have to wait for the proposals and evaluate as it's a strict mandate from those above. Again thank you for your inputs!

what type or line of company are you running with all these things set? you can get tools from paid security firms online, install it on a vm and let it do its scan.

[E23598]

what type or line of company are you running with all these things set? you can get tools from paid security firms online, install it on a vm and let it do its scan.

We are in the manufacturing business mainly in packaging. It was suggested from guys from the top IT management to check with local IT firms to see what they can offer.

[M.A.D.]

We are in the manufacturing business mainly in packaging. It was suggested from guys from the top IT management to check with local IT firms to see what they can offer.

That assessment is going to cost a lot of money and it will take a while to finish, probably more than a year, depending on the amount of controls and its complexity. You should decide what standard you are looking when you want to be compliant. Your controls are very comprehensive. I think what you are looking for is ISO 27001 since it actually covers all controls mentioned in your post.

For the vulnerability scans and SCAP scans for benchmark configurations, that can be done by your own staff. Although a third party which performs a comprehensive information security assessment such as ISO 27001 is necessary.

There are other standards out there besides ISO27001 so you would have to do a bit of research on what standard you want to certify against.

[AMD_infinium05]

That assessment is going to cost a lot of money and it will take a while to finish, probably more than a year, depending on the amount of controls and its complexity. You should decide what standard you are looking when you want to be compliant. Your controls are very comprehensive. I think what you are looking for is ISO 27001 since it actually covers all controls mentioned in your post.

For the vulnerability scans and SCAP scans for benchmark configurations, that can be done by your own staff. Although a third party which performs a comprehensive information security assessment such as ISO 27001 is necessary.

There are other standards out there besides ISO27001 so you would have to do a bit of research on what standard you want to certify against.

A real alot of money.

[E23598]

That assessment is going to cost a lot of money and it will take a while to finish, probably more than a year, depending on the amount of controls and its complexity. You should decide what standard you are looking when you want to be compliant. Your controls are very comprehensive. I think what you are looking for is ISO 27001 since it actually covers all controls mentioned in your post.

For the vulnerability scans and SCAP scans for benchmark configurations, that can be done by your own staff. Although a third party which performs a comprehensive information security assessment such as ISO 27001 is necessary.

There are other standards out there besides ISO27001 so you would have to do a bit of research on what standard you want to certify against.

It might be in there mind that they are preparing for some sort of certification but it hasn't been mentioned yet. They would just like to maybe weigh in the IT security maturity of each site. Example for us here in the Philippines we just started out well just more or so 4 years and with the growing threat of cyber crimes Top Management would like to know the status of all each site that is why they want each site to look for their own local partner as it would take them a while if we opt for a single certify organization. I was only given 5-6 months to complete all of this. I only have to coming proposals for now but i have not gotten any picture of the whole cost is. Hopefully everything goes smoothly.

- - - Updated - - -

A real alot of money.

IT Budget for a manufacturing business is really hard to fight for. it's the last thing on the list.

[trebor08]

you can try worldtech sir they have cyber security services Worldtech Information Solutions CyberConAsia 2017

[alcatraz]

Hi,

Mga boss! Gud am! Mangutana lang unta ko sa nuha kng naa mu mga kaila nga mga IT Firm nga pwed maka conduct ug assessment sa amoa Infra with scope below. Salamat kaau daan sa nuha mga inputs mga masters.!


1. Network and Security Architecture
a. Segregation of critical & non-critical assets
b. VLANs
c. DMZ's
d. Ingress/Egress points
e. Firewall
f. IPS/IDS
g. DDoS
h. Wi-Fi Security
i. Network Admission Control (NAC)
2. Web Security
a. Proxy
b. URL Filtering
c. Anti-Virus
3. Email Security
a. Anti-Virus
b. Anti-Spam
c. E-mail Policy for blocking suspicious file extensions/types
4. Application Security
a. Secure coding guidelines
b. Application Security Assessment (One sample application)
c. WAF
5. Secure Configuration
a. Hardening Standards (OS, Network, Middleware, Database, Products)
b. Build Secure Infrastructure
6. Patch Management
a. Patch Management Policy (including Testing & Deployment procedure)
b. Patching Cycle
7. Endpoint Security
a. End-Point Policy
b. EDR
c. HIPS
d. Client Firewall
8. Monitoring
a. Security Operations Center (SOC)
b. SIEM, Log Review
c. NADS
d. Anti-APT
e. Social Media
f. Threat Intelligence
g. Analytics, Dashboards & Reports
9. Assessments & Audits
a. Architecture Review
b. Threat Modelling
c. VA, PT
d. Process Audits

Boss,try sa Trends and technogies